Process Hollowing

​On average, AV/EDR is doing a good job at catching this type of injection. In this video, we first hollowed with OpenThread, SuspendThread, VirtualAllocEx, WriteProcessMemory, and ResumeThread which was swiftly dealt wit by Defender for Endpoint. However, our automation distilled another prevalent API signature for hollowing that was used later in the video and ran undetected. Our automation creates these signatures by looking over millions of lines of malicious code and graphing relationships between files, functions, processes, libraries and social contexts. A detailed look at these process hollowing techniques and a look at the signature we distilled to find advanced Cobalt Strike tradecraft, will be published in our first-ever Cyber Mongol CTI report.  Get a hold of us to find out more.