detecting-process-hollowing-technique
by mukul975detecting-process-hollowing-technique helps hunt process hollowing (T1055.012) in Windows telemetry by correlating suspended launches, memory tampering, parent-child anomalies, and API evidence. Built for threat hunters, detection engineers, and responders who need a practical detecting-process-hollowing-technique for Threat Hunting workflow.
This skill scores 81/100, which means it is a solid directory listing for users hunting process hollowing (T1055.012). The repository gives enough operational detail for an agent to recognize when to use it, follow a detection workflow, and leverage supporting scripts and references with relatively little guesswork, though it is still more detection-oriented than fully turnkey.
- Strong triggerability: the SKILL.md clearly targets process hollowing detection and names concrete use cases like EDR alerts, memory threats, and purple-team validation.
- Good operational scaffolding: the repo includes a multi-phase workflow plus supporting references for Sysmon, MDE/KQL, Splunk SPL, and API-sequence context.
- Useful agent leverage: scripts and templates provide executable starting points for Sysmon log analysis and hunt documentation rather than only narrative guidance.
- No install command in SKILL.md, so users may need to infer how to operationalize the scripts and dependencies themselves.
- Some workflow content is truncated in the evidence, and the skill appears centered on Windows telemetry, limiting fit outside that environment.
Overview of detecting-process-hollowing-technique skill
The detecting-process-hollowing-technique skill helps you hunt for process hollowing (MITRE ATT&CK T1055.012) in Windows telemetry by correlating process creation, memory tampering, and parent-child anomalies. It is best for threat hunters, detection engineers, and incident responders who need a practical detecting-process-hollowing-technique for Threat Hunting workflow, not a generic explanation of process injection.
What this skill is for
Use this skill when you need to decide whether a suspicious process is genuinely hollowed, not just unusual. It focuses on the signals that matter operationally: suspended process creation, image mismatch, remote memory writes, and abnormal execution flow after resuming the thread.
Why it is useful in real hunts
The main value of the detecting-process-hollowing-technique skill is structure. Instead of hunting from a single alert, it gives you a sequence: identify candidate processes, validate against expected Windows parent-child relationships, then confirm with memory and API-level evidence. That reduces false positives from benign service behavior and helps separate “odd” from “malicious.”
What makes it different
This skill is strongest when you have EDR or Sysmon telemetry and need a detection-oriented workflow. It is more useful than a one-line prompt because it already reflects the usual hollowing chain and the common tradeoff: better confidence requires better process and memory visibility. If you only have network logs, this skill will not give you enough evidence.
How to Use detecting-process-hollowing-technique skill
Install and load it
Install with:
npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-process-hollowing-technique
Then open skills/detecting-process-hollowing-technique/SKILL.md first. If you want the operational context behind the hunt logic, also read references/standards.md and references/workflows.md before running the skill in your own environment.
Start with the right input
The skill works best when your prompt includes the telemetry source, a short suspicion statement, and the time window. For example: “Analyze Sysmon Event IDs 1, 8, 10, and 25 from host X for signs of process hollowing after a suspicious svchost.exe launch at 14:30 UTC.” That is better than “check for malware,” because it gives the model a concrete hunt target and a verification path.
Suggested workflow
- Use the skill to narrow candidate processes from Sysmon or EDR.
- Validate the parent-child relationship against the Windows baseline.
- Check for hollowing indicators: suspended start, unmap/write/redirect sequence, and tampering events.
- Confirm with memory evidence if available.
- Convert the result into a hunt note or detection rule, using
assets/template.mdas the reporting shape.
Files to read first
For detecting-process-hollowing-technique usage, prioritize:
SKILL.mdfor the hunt logic and prerequisitesreferences/api-reference.mdfor the API sequence and sample Splunk queryreferences/workflows.mdfor Sysmon and MDE examplesassets/template.mdfor documenting findings clearlyscripts/agent.pyandscripts/process.pyif you want to automate event parsing or triage
detecting-process-hollowing-technique skill FAQ
Is this only for advanced analysts?
No. The detecting-process-hollowing-technique guide is accessible to beginners who already know basic Windows process concepts. You do need enough context to distinguish normal service behavior from suspicious injection patterns, but the skill gives you a usable hunt path instead of expecting deep reverse-engineering knowledge.
Do I need EDR or Sysmon?
Preferably yes. The skill is strongest with Sysmon and EDR telemetry because process hollowing is often invisible in basic endpoint logs. Without process creation, tampering, or memory-related telemetry, you may only get a weak suspicion rather than a defensible conclusion.
How is this different from a normal prompt?
A normal prompt may describe process hollowing in general terms. This skill is more decision-oriented: it pushes you toward specific checks, expected parent-child baselines, and evidence that supports or refutes T1055.012. That usually produces better triage output and fewer vague answers.
When should I not use it?
Do not use detecting-process-hollowing-technique if your case is mainly about browser exploitation, macro malware, or generic persistence with no process injection evidence. It is also a poor fit when you lack endpoint telemetry and only need a high-level incident summary.
How to Improve detecting-process-hollowing-technique skill
Give stronger telemetry context
The biggest quality gain comes from better input data. Include OS version, logging source, event IDs, and one or two suspicious process names. For example: “Windows 11, Sysmon 13, Event 1 and 25, svchost.exe started by cmd.exe, then tampering alert at 14:31.” That helps the model anchor on the right detection path.
Ask for a verdict plus evidence
If you want useful output, ask for both a conclusion and the evidence chain. A good request is: “Classify the likelihood of process hollowing, list supporting indicators, and note what evidence is still missing.” That forces the result to separate confirmed findings from assumptions.
Watch common failure modes
The most common mistake is overcalling hollowing from parent-child mismatch alone. Another is treating every suspended process as malicious. Improve the result by providing baseline parent-child expectations, known-good admin activity, and whether memory evidence or only event logs are available.
Iterate after the first pass
Use the first answer to identify what is missing, then rerun the skill with those gaps filled. If the output is tentative, add process hashes, command lines, loaded modules, and timing between CreateProcess, WriteProcessMemory, and ResumeThread. That turns a generic detecting-process-hollowing-technique skill response into a more defensible detection or hunt note.