Detects process hollowing (T1055.012) by analyzing memory mapped sections, hollowing indicators, and EDR telemetry for parent-child process anomalies. Useful for threat hunting fileless malware in Windows environments.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 调查疑似无文件恶意软件或内存驻留威胁时
Detects process hollowing (T1055.012) by analyzing EDR telemetry for memory-mapped sections, hollowed process indicators, and parent-child anomalies. For threat hunting fileless malware.
Detects process hollowing (T1055.012) in EDR telemetry by analyzing memory sections, hollowed indicators, and parent-child process anomalies. For threat hunting fileless malware.
Detects and analyzes malware process injection techniques like DLL injection, process hollowing, APC injection, thread hijacking using Volatility memory forensics, Sysmon events, and API monitoring.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1055.012 | 进程注入:进程镂空(Process Hollowing) |
| T1055 | 进程注入(父技术) |
| T1055.001 | DLL 注入 |
| T1055.003 | 线程执行劫持 |
| T1055.004 | 异步过程调用 |
| CREATE_SUSPENDED | 以挂起状态创建进程的 Windows 标志 |
| NtUnmapViewOfSection | 取消映射进程内存节区的 API |
| WriteProcessMemory | 向其他进程内存写入数据的 API |
| ResumeThread | 恢复挂起线程的 API |
| 镜像不匹配 | 进程内存内容与磁盘上的二进制文件不同 |
| 进程替身(Process Doppelganging) | 使用 NTFS 事务的相关技术(T1055.013) |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | 内存保护和镂空检测 |
| Microsoft Defender for Endpoint | ProcessTampering 告警 |
| Sysmon v13+ | 事件 ID 25 ProcessTampering 检测 |
| Volatility | 内存取证——malfind 插件 |
| pe-sieve | 扫描被镂空进程的内存 |
| Hollows Hunter | 自动化被镂空进程检测 |
| Process Hacker | 实时进程内存检查 |
| API Monitor | 监控 NtUnmapViewOfSection 调用 |
Hunt ID: TH-HOLLOW-[DATE]-[SEQ]
Technique: T1055.012
Hollowed Process: [进程名和 PID]
Original Binary: [磁盘上的预期路径]
Parent Process: [父进程名和 PID]
Memory Mismatch: [是/否]
Suspicious APIs: [NtUnmapViewOfSection、WriteProcessMemory 等]
Network Activity: [C2 连接(如有)]
Host: [主机名]
User: [账户上下文]
Risk Level: [Critical/High/Medium/Low]