Process Hollowing

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

8 hours 39 minutes
Video Transcription
hello and welcome to another application of the minor attack framework discussion today. We're going to discuss process hollowing. So what are the objectives of today's discussion? Whether pretty straight for we're going to describe for you what process Halloween is,
we'll have a little example based on a recent tool that's been used. One a look at some mitigation techniques and some detection techniques as well. So what? That let's go ahead and jump right in. So process. Hollowing as laid out in minor,
happens when a process is created in a suspended state than its memory is unmapped and replaced with malicious code. So this could be masked under legitimate processes and can evade. Defense is quite effectively if you don't have the appropriate detection, met mechanisms or
capabilities in place to find these types of things.
So an example of this is the Iess, um, injector that's described as a Trojan, really, and it is used to install backdoors, and it will install several. It's associated with the Threat group oil rig on, and it essentially is off. She skated with smart assembly dot net off you skater, So
down below, here's a little snippet we took from Palo Alto Networks Unit 42 the part to pay attention to here is where it works to create. These resource is essentially that will hide the activities and create the shells and things of that nature
with this particular Trojan.
Now something to keep in mind about these types of techniques and tools. Typically, they require access to a network our access to a system. So unless you've got a system that's Internet facing and it's vulnerable to some other type of exploit, this typically isn't the first thing that a threat actor does on the system.
But once they get to a point where they can enact these types of attacks or mechanisms,
they become a lot harder to detect and find on the systems.
Now let's talk about some mitigation techniques for a moment, of course, on the site, looking at minor and kind of their recommendations. They just indicate that these air very hard techniques to mitigate, especially once we have, you know, other mechanisms that have been used to get a threat actor to this point.
Now, some things that we can commonly do that make it harder for threat. Actor to take advantage of these types of techniques is to implement least privilege on user accounts, And so again, it's a re occurring theme that we're going to hear over and over again.
But if you could do anything to mitigate risk and help to reduce the capabilities of threat actors, it would be implementing least privilege
and awareness training. And so
the reason that awareness training is so important is when I learned to drive or do something like that, at least you know, here in
in Georgia, where I'm at, they require me to do so much training. They require me to be aware of the signs and the way that things happen on on the roads and when I'm supposed to do when what I'm not supposed to do.
And so
those things are now in eight league a part of my experience, and when I go to drive a vehicle, I'm aware of what those things mean. And eight Lee, I know what to avoid. I know it to be careful of. If we don't take the same steps with our end users and training them
what the risks are out there on the Internet, what people are trying to do to take advantage of them and what they're you know, it becomes a bit of ignorance that we've got amongst ourselves,
and so we could at least make in users aware,
then the likelihood that a threat actor gets in through something like social engineering. You know, things of that nature are less likely. The more that we train our staff and and our folks in our businesses
now detection mechanisms that we could implement here we could look to monitor a P. I calls that unmapped process memory and those that can modify memory within another process. And so
any time we see these types of activities that are associated with process hollowing,
we should have some mechanisms in place to alert either staff members or 1/3 party
to then look into that instance and determine whether or not a malicious threat actor is in play.
Now let's do a quick check on learning true or false
process. Hollowing is easily detected and prevented.
All right, well, if you need some additional time, please pause the video and take a moment to think it through. So process following the key word here easily detected and prevented as we discuss process. Hollering is somewhat of an advanced technique that threat actors can use to avoid detection, and it is not always easily detected
or prevented if a threat actor has already gotten on the system. And so in this instance,
this is a false statement
process. Hollowing is not easily detected, and it could be difficult to prevent if other mitigating factors were not implemented. So let's go ahead and move over to the summary for today's discussion. We looked at and describe process hollowing at a high level, and we introduced you to a particular tool that has been used for process hollowing.
We discussed mitigating techniques, really focusing on at least privilege and end user awareness training as factors for that.
And then we talked about detection techniques where we look for a P eyes or calls on systems that air doing things that would be associated with process hollowing or these types of techniques. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.
Up Next