Azure Sentinel: Process Hollowing (T1055.012) Analysis
In this article, we are going to explore a technique called Process Hollowing.
Before jumping into the detection part, it is essential to explore some important terminologies.
According to MITRE:
"Process hollowing (T1055.012) is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively"
To learn more about Process hollowing, i highly recommend you to check this piece from Elastic: https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
This technique is widely used by adversaries such as Duqu and TrickBot
- Engineering Process Injection Detections - Part 1: Research
- Engineering Process Injection Detections — Part 2: Data Modeling
- Engineering Process Injection Detections — Part 3: Analytic Logic
For the detection we are going to use Azure Sentinel and sysmon. Sysmon can be downloaded from here:
To install it, run the following command as an administrator:
sysmon.exe -accepteula -i <CONFIG_FILE_HERE>
You can use the following config file by ION-STORM:
To explore sysmon events, use Windows Event Viewer: Applications and services logs -\> Microsoft -\> Windows -\> Sysmon -\> Operational
To send sysmon events to Azure sentinel, deploy a new connector (Security Events) to start with Windows Event logs
Install the agent.
Now go to Settings -\> Workspace Settings -\> Advanced settings -\> Data -\> Windows Event Logs and add the following event log name: Microsoft-Windows-Sysmon/Operational
To check the events go to Azure Sentinel Logs section and run the following query:
Event | where Source == "Microsoft-Windows-Sysmon"
As you will notice the EventData fields are not parsed and filtered. Thus, it is recommended to use one of Azure Sentinel sysmon parsers: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/Sysmon
To use the parser, copy the file content in log analytics and save it as a function (e.g Sysmon_Parser). Now the events are well parsed:
To correlate APIs with Events, a mapping phase is needed for a better visibility. Thankfully, you can use these sheets:
More details about mapping can be found here: Uncovering The Unknowns
Now we know what sysmon EventIDs to watch
Let's perform a process hollowing technique using the following poc: https://github.com/m0n0ph1/Process-Hollowing
Go to Azure Sentinel logs console
Sysmon_Parser | where EventID in ("1","10") | project SourceImage, TargetImage, EventID, GrantedAccess
- EventID 1: Process Created
- EventID 10: Process Accessed
- The project operator: Only the columns specified in the arguments are included in the result.