Process Hollowing

Process hollowing is a sophisticated and stealthy technique employed by attackers to inject malicious code into legitimate processes, thereby inheriting their privileges and attributes. This method is particularly effective for evading detection and escalating privileges on a compromised system. The following overview provides a detailed breakdown of how process hollowing is executed, its implications for privilege escalation, and how it can be detected.

Steps Involved

Process Creation in a Suspended State: Attackers initiate a process by creating a new process in a suspended state using Windows API calls like CreateProcess with the CREATE_SUSPENDED flag. This flag ensures that the primary thread of the process is suspended immediately after creation. This allows the process to be loaded into memory without starting its execution, providing a window for the attacker to manipulate the process's memory without interference from the process's normal operations.

Unmapping the Original Code: The attacker then "hollows out" the process by unmapping its legitimate code sections from memory. This is done using API calls such as NtUnmapViewOfSection to free up the process's memory space. This step effectively empties the process, leaving behind a shell that retains the original process's attributes, such as its file path, creation time, and security context.

Injecting Malicious Code: With the memory space cleared, the attacker injects their malicious code into the process. This is achieved using API calls like VirtualAllocEx to allocate memory within the target process, WriteProcessMemory to write the malicious code into the allocated memory, and SetThreadContext to realign the process's execution context to point to the malicious code. The injected code can serve various malicious purposes, including data theft, additional malware installation, or establishing persistence.

Resuming Execution: The final step involves resuming the execution of the hollowed process using the ResumeThread API call. The process now runs the attacker's code but with the original process's privileges and attributes, effectively masking the malicious activity under the guise of a legitimate process.

Implications for Privilege Escalation

Inheriting Privileges: One of the key advantages of process hollowing is that the malicious code inherits the privileges of the original process. If the original process had elevated privileges (such as SYSTEM or administrator), the attacker's code gains these privileges as well. For example, an attacker with low user privileges could exploit process hollowing on a high-privilege service like svchost.exe to gain SYSTEM-level control over the system. This allows the attacker to perform actions that would otherwise be restricted, such as modifying system files, changing security settings, or installing additional malware.

Stealth and Persistence: Running the malicious code within a legitimate process provides a significant level of stealth. Traditional signature-based detection methods may fail to identify the malicious activity because it is masked under a legitimate process. This makes it more challenging for security products to detect and remove the malicious code, thereby increasing the attacker's chances of maintaining persistence on the compromised system. The attacker can also use this method to evade behavioral detection mechanisms, as the malicious activity appears to originate from a trusted process.

Challenges

Detection by Advanced Security Solutions: While process hollowing can evade traditional signature-based detection, advanced security solutions that use behavioral analysis and heuristic techniques may still detect anomalies associated with process hollowing. For example, monitoring for unusual API call sequences or changes in process memory can help identify hollowed processes. Endpoint Detection and Response (EDR) solutions and advanced threat detection platforms can provide visibility into process creation, memory manipulation, and other indicators of process hollowing.

Indicators of Compromise

Suspicious Process Creation: Detecting processes created in a suspended state using the CREATE_SUSPENDED flag is crucial since legitimate use cases for this are rare. Frequent occurrences of such events can be a red flag. Additionally, unusual parent-child relationships, such as a low-privilege process creating a high-privilege process, should be closely monitored. These relationships often indicate an attempt to escalate privileges through process hollowing.

Memory Manipulation: The use of APIs like NtUnmapViewOfSection to unmap memory in a process is a critical indicator. Legitimate applications rarely need to unmap and remap large sections of memory, so detecting such activity can signal a potential process hollowing attempt. Monitoring for calls to VirtualAllocEx and WriteProcessMemory targeting processes that do not typically perform such operations is also essential. These calls are often used to allocate memory and write malicious code into the hollowed process.

Thread Context Manipulation: Detecting calls to SetThreadContext, used to change the execution context of a thread, is crucial. This is often used to point the Instruction Pointer (IP) to the injected malicious code. Monitoring for ResumeThread calls, especially following the aforementioned suspicious activities, can further help identify process hollowing attempts. These activities typically follow the sequence of unmapping memory, allocating new memory, and writing malicious code.

Code Injection: Looking for execution of code in memory regions that are typically non-executable or have been recently allocated and written to is a strong indicator of process hollowing. Anomalies in process behavior, such as unexpected network connections, file access patterns, or unusual CPU/memory usage, can also signal code injection. These behaviors are often inconsistent with the process's legitimate function.

API Call Sequences: The sequence of API calls like CreateProcess, NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, and ResumeThread occurring in a short time frame is highly indicative of process hollowing. Monitoring and analyzing these sequences can provide early warnings of an attack. Suspicious combinations of these calls should be flagged for further investigation.

Behavioral Analysis: Using behavioral analysis tools to detect deviations from normal process behavior is essential. For example, a process that typically performs only specific tasks suddenly performing memory manipulations or thread context changes should be scrutinized. Implementing heuristic-based detection mechanisms to identify patterns of behavior consistent with process hollowing can also enhance detection capabilities.

File and Registry Monitoring: Monitoring for unexpected modifications to executable files, especially those located in system directories, can help detect process hollowing. Registry changes, particularly those associated with process execution and startup, should also be monitored. Attackers may modify these keys to maintain persistence, allowing the hollowed process to run on system startup.

Privilege Escalation Attempts: Identifying processes that suddenly gain elevated privileges without a clear legitimate reason is crucial. This can be done by monitoring access tokens and privilege levels of processes. Such anomalies often indicate an attempt to escalate privileges through process hollowing.

Network Anomalies: Monitoring for unexpected network activity originating from processes that have been hollowed is essential. This includes unusual outbound connections, data exfiltration attempts, or communication with known malicious IP addresses. Analyzing network traffic patterns and payloads can help identify anomalous behavior indicative of process hollowing.

Log Analysis

Analyzing Windows Event Logs for signs of suspicious process creation, memory manipulation, and thread context changes is crucial. Windows Event Logs provide a detailed and chronological record of system activities, which can be invaluable for detecting anomalies indicative of process hollowing. By closely examining these logs, security teams can identify patterns and specific events that signal potential malicious activities.

Event ID 4688: A New Process Has Been Created

One of the key event IDs to monitor is Event ID 4688, which indicates that a new process has been created. This event log entry provides details such as the name of the process, its process ID, the parent process, and the user account that initiated the process. Anomalies such as unusual parent-child process relationships, processes created with uncommon command-line arguments, or processes created by non-standard user accounts can be indicative of process hollowing attempts.

Event ID 7045: A Service Was Installed in the System

Another critical event ID to monitor is Event ID 7045, which logs the installation of new services on the system. This event is particularly important because attackers may install malicious services to maintain persistence or execute malicious code under the guise of legitimate system services. By tracking these events, security teams can detect unauthorized service installations that may be part of a process hollowing attack.

Event IDs 7034 and 7035: Service Control Events

Event IDs 7034 and 7035 log service control events, such as the unexpected termination or start of services. Monitoring these events is crucial because attackers may manipulate high-privilege services to gain or maintain elevated access to the system. For instance, if a legitimate service unexpectedly terminates and is immediately followed by the creation of a new, similarly named service, this could indicate that the original service was hollowed and replaced with a malicious version.

Conclusion

Process hollowing is a powerful technique for privilege escalation due to its ability to inherit the privileges of a legitimate process and evade detection. By creating a process in a suspended state, unmapping its memory, injecting malicious code, and resuming execution, attackers can effectively escalate their privileges and maintain a stealthy presence on the system. This method underscores the importance of advanced detection mechanisms that can identify such sophisticated attacks and highlights the need for continuous monitoring and analysis of process behaviors on endpoints.