Process hollowing is a technique where a legitimate process is started and then its memory is replaced or modified so attacker-controlled code runs under the trusted process identity. It matters because defenders often trust process names and parentage more than they should, which makes process abuse a powerful stealth technique.
What is Process Hollowing?
This technique helps malware hide execution under legitimate-looking process context, complicating static signatures and simple allow rules. It is a common example of post-exploitation stealth and process injection tradecraft.
What Process Hollowing Commonly Supports
Common uses include malware analysis, EDR detection tuning, endpoint threat hunting, and stealth technique study.
Process Hollowing vs. Ordinary Legitimate Process Execution
Process hollowing uses a legitimate process container for malicious code. Ordinary execution runs the code that process was actually meant to run.
Frequently Asked Questions
Why is process hollowing effective?
Because it can make malicious activity appear to come from a well-known trusted executable.
What helps detect it?
Memory analysis, process behavior telemetry, image-load anomalies, and injection-focused EDR signals all help.
