cti/enterprise-attack/attack-pattern/attack-pattern--1c338d0f-a65e-4073-a5c1-c06878849f21.json

{
    "type": "bundle",
    "id": "bundle--4f662559-2fd0-4819-bc7a-cc2ef5cc7dc6",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--1c338d0f-a65e-4073-a5c1-c06878849f21",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "created": "2017-05-31T21:31:09.815Z",
            "modified": "2018-01-17T12:56:55.080Z",
            "name": "Process Hollowing",
            "description": "Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to Process Injection, execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. (Citation: Leitch Hollowing) (Citation: Engame Process Injection July 2017)\n\nDetection: Monitoring API calls may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls that unmap process memory, such as ZwUnmapViewOfSection or NtUnmapViewOfSection, and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique. (Citation: Engame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.\n\nPlatforms: Windows\n\nData Sources: Process monitoring, API monitoring\n\nDefense Bypassed: Process whitelisting, Anti-virus, Whitelisting by file name or path, Signature-based detection\n\nPermissions Required: User",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "defense-evasion"
                }
            ],
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/wiki/Technique/T1093",
                    "external_id": "T1093"
                },
                {
                    "source_name": "Leitch Hollowing",
                    "description": "Leitch, J. (n.d.). Process Hollowing. Retrieved November 12, 2014.",
                    "url": "http://www.autosectools.com/process-hollowing.pdf"
                },
                {
                    "source_name": "Engame Process Injection July 2017",
                    "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
                    "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_data_sources": [
                "Process monitoring",
                "API monitoring"
            ],
            "x_mitre_defense_bypassed": [
                "Process whitelisting",
                "Anti-virus",
                "Whitelisting by file name or path",
                "Signature-based detection"
            ],
            "x_mitre_permissions_required": [
                "User"
            ],
            "x_mitre_platforms": [
                "Windows"
            ]
        }
    ]
}