use process replacement

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: use process replacement
    namespace: host-interaction/process/inject
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Process Injection::Process Hollowing [T1055.012]
      - Defense Evasion::Reflective Code Loading [T1620]
    references:
      - http://www.autosectools.com/process-hollowing.pdf
      - https://www.andreafortuna.org/2017/10/09/understanding-process-hollowing/
    examples:
      - Practical Malware Analysis Lab 12-02.exe_:0x4010EA
  features:
    - and:
      - match: create process suspended
      - match: write process memory
      - match: resume thread

last edited: 2023-11-24 10:34:28