← Techniques
T1055.012 ↑ T1055Process Injection Defined ATT&CK T1055.012 ↗

Process Injection: Process Hollowing

Process Write ProcessSegment — Create a new process in suspended state, unmap its legitimate image via NtUnmapViewOfSection, write attacker code into the vacated address space, and resume execution.

Ontological Definition
T1055 parent:ProcessWriteProcessSegment
ActorProcess
ActionWrite
ArtifactProcessSegment
[
constrains
process.start_type = Suspended
]

Detect

STP 3

process.start_type is not OCSF native — requires an extension. The practical detection signal is the preceding Launch event with process.start_type = Suspended, but this has a high false-positive rate: JVMs, .NET runtimes, and browser subprocesses all legitimately create suspended processes.

Gate on
activity_id = Inject
process.start_type = Suspended

Detect Launch events with process.start_type = Suspended from actor processes outside known-good paths. Correlate with a subsequent NtUnmapViewOfSection call on the same PID for higher precision. The suspended-state signal precedes the image replacement and is the earliest available indicator.

Mitigate

STP 5

ACG/CIG prevent writing executable code into the vacated address space — the central artifact modification regardless of whether the target is a suspended or running process.

Enable ACG and Code Integrity Guard (CIG). These controls block the write step, identical in structure to other T1055 variants.

Respond

Controlled

The target process now executes attacker-controlled code. Kill the injector process and the compromised target immediately. Investigate all files, network connections, and child processes they spawned.

Attacker foothold
Hollowing Processactor.process
Compromised by this technique
Hollowed Processprocess
D3FEND response actions
d3f:ProcessTerminationd3f:NetworkIsolation
OCSF event model

Event class: Process Activity (1007)  ·  activity_id: Inject

attacker-controlledpost-successvictimtainted
%%{init: {"theme": "dark", "themeVariables": {"edgeLabelBackground": "#18181b", "lineColor": "#52525b"}}}%%
graph TD
  classDef attacker fill:#7c2d12,stroke:#ea580c,color:#fed7aa
  classDef victim fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
  classDef postSuccess fill:#78350f,stroke:#d97706,color:#fde68a
  classDef tainted fill:#18181b,stroke:#52525b,color:#a1a1aa

  EVENT(["Process Activity\n· Inject"])

  actor_process["Hollowing Process\nactor.process\nd3f:Process"]:::attacker
  target_process["Hollowed Process\nprocess\nd3f:Process"]:::postSuccess
  device["Host\ndevice\nd3f:Host\n⚠ tainted"]:::tainted

  EVENT --> actor_process
  EVENT --> target_process
  EVENT --> device

  actor_process -.->|"hollows"| target_process
Hollowing Process
actor.process·d3f:Process
attacker-controlled
actor.process.file.pathattacker_controlledHollowing tool path — attacker-chosen
Countermeasures
d3f:ProcessTermination
Hollowed Process
process·d3f:Process
post-success
process.pidvariableTarget process identifier — OS-assigned
process.start_typeinvariant= Suspended
Countermeasures
d3f:ProcessTermination
Host
device·d3f:Host
tainted
Countermeasures
d3f:NetworkIsolation
Definitional Sigma rule

Broad by design — defines the technique, not an operational alert. Gate on variable or attacker-controlled field conditions to narrow for production use.

title: Process Injection: Process Hollowing (T1055.012)
status: experimental
description: >
  Definitional rule — broad by design. Defines the technique independent of
  medium, tool, or attacker-controlled variables. Narrow with variable and
  attacker-controlled field conditions for operational use.
logsource:
  product: ocsf
  category: Process Activity (1007)
detection:
  selection:
    activity_id: 'Inject'
    process.start_type: 'Suspended'
  condition: selection