Process Hollowing
Process Hollowing is a malware execution technique where attackers create a legitimate process in a suspended state and replace its memory with malicious code to evade security detection.
Process Hollowing is a malware execution technique in which attackers create a legitimate process in a suspended state and replace its memory with malicious code. Once the malicious payload is written into the process memory, the process is resumed, causing the system to execute the attacker’s code under the identity of a trusted application.
Because the process appears legitimate to the operating system and many security tools, this technique is widely used to evade traditional detection mechanisms. Process hollowing is frequently observed in modern malware families, loaders, and advanced intrusion campaigns.
Security teams often identify this behavior when analyzing telemetry collected from endpoint monitoring platforms such as Endpoint Detection and Response (EDR) systems.
How Process Hollowing Works
Process hollowing manipulates a legitimate executable by replacing its code with malicious instructions. The technique typically involves several stages.
A simplified workflow may include:
- launching a legitimate executable in a suspended state
- removing the original executable code from memory
- allocating memory within the process
- injecting malicious payload code
- resuming the process to execute the injected code
Once the process resumes execution, the malicious code runs while appearing to originate from the trusted process.
Why Attackers Use Process Hollowing
Process hollowing provides several advantages for attackers attempting to remain hidden inside compromised systems.
Key benefits include:
- executing malicious code within trusted system processes
- bypassing file-based malware detection mechanisms
- blending attacker activity into legitimate system behavior
- inheriting the privileges of the target process
These advantages make the technique particularly useful for attackers attempting to maintain persistence during an attack chain.
Process Hollowing vs Process Injection
Process hollowing is closely related to Process Injection, but the two techniques differ in how the target process is manipulated.
| Technique | Description |
|---|---|
| Process Injection | Injects malicious code into an already running process |
| Process Hollowing | Starts a legitimate process and replaces its memory with malicious code |
Both techniques aim to conceal malicious activity within trusted system processes.
Common Target Processes
Attackers typically choose processes that appear normal within the operating system environment. By hiding malicious code within these processes, the attacker reduces the likelihood of detection.
Common targets include:
- system service executables
- trusted Windows utilities
- frequently running user applications
- background service processes
Because these processes are expected to run on most systems, malicious activity associated with them may initially appear benign.
Detecting Process Hollowing
Although process hollowing attempts to hide malicious activity, behavioral detection systems can identify suspicious signals associated with this technique.
Security monitoring systems may detect:
- processes created in a suspended state
- unexpected memory manipulation within a process
- abnormal execution flow changes
- suspicious parent-child process relationships
These behaviors may represent Indicators of Attack that reveal an intrusion attempt.
Platforms such as Endpoint Detection and Response (EDR) and centralized monitoring systems such as Security Information and Event Management (SIEM) often analyze these signals.
Process Hollowing in Modern Malware
Many modern malware families rely on process hollowing to conceal their payloads. Instead of launching a clearly malicious executable, attackers hide their code inside trusted applications.
This technique is often used together with other stealth mechanisms such as Living-off-the-Land Binaries (LOLBins) or encrypted command channels.
These combinations allow attackers to maintain persistence while minimizing forensic evidence.
Process Hollowing and Threat Hunting
Security analysts conducting Threat Hunting investigations often search for abnormal process behavior that may indicate hollowing activity.
By analyzing endpoint telemetry, investigators can identify patterns that reveal memory manipulation or suspicious execution sequences.
Early detection of these signals helps defenders disrupt attacker operations before they escalate privileges or attempt to exfiltrate sensitive data.
Security Implications
Process hollowing remains a common malware execution technique because it allows attackers to hide malicious code within legitimate processes. This behavior complicates traditional detection strategies that rely on identifying suspicious files.
Organizations that deploy behavioral monitoring tools and maintain strong endpoint visibility are better positioned to detect suspicious memory activity and identify intrusions that rely on stealth techniques such as process hollowing.