DET0382: Detection Strategy for Process Hollowing on Windows
DET0382 is a MITRE detection strategy for identifying Process Hollowing on Windows. The business value is validating whether endpoint and SOC monitoring ca...
Analyst context for executives and security teams
DET0382 is a MITRE detection strategy for identifying Process Hollowing on Windows. The business value is validating whether endpoint and SOC monitoring can recognize a stealthy process-injection pattern where malicious code runs inside another live process, potentially weakening trust in process names, allowlists, and basic process-based defenses.
Executive priority
Treat this as a resilience and detection-assurance item rather than a standalone control. Leaders should ask whether Windows endpoint telemetry, investigation playbooks, and managed detection rules can distinguish legitimate process behavior from suspicious suspended-process and memory-manipulation patterns. This matters for incident triage quality, privilege-escalation risk, and audit evidence that endpoint detection is monitoring more than file hashes and process names.
Technical view
The supplied ATT&CK relationship states this strategy detects T1055.012 Process Hollowing, a Windows technique associated with stealth and privilege escalation. SOC and detection engineering teams should validate visibility into process creation, parent/child relationships, suspended process creation where available, image/path metadata, memory mapping or unmapping indicators where collected, and code execution inside unexpected process address spaces. Because the official detection text for DET0382 is not provided, local implementation should be tested against benign administrative, software update, security tooling, and application behavior to reduce noisy detections.
Likely telemetry
- Windows process creation events with command line, image path, parent process, user, and integrity context
- Endpoint detection telemetry for process injection, memory allocation, memory mapping, or image replacement behaviors
- Module/image load and executable mapping metadata where available
- Process start state or suspended-process indicators where collected
- Security tool alerts or behavioral analytics tied to process hollowing or process injection
Detection direction
- Confirm that detections do not rely only on suspicious process names; process hollowing can abuse otherwise legitimate-looking processes.
- Validate correlation across process creation, parent process lineage, memory behavior, and execution context rather than treating any single signal as conclusive.
- Tune for expected noise from legitimate software installers, updaters, debuggers, security tools, and enterprise management agents.
- Ensure SOC playbooks preserve process, memory, and parent/child evidence before remediation actions remove volatile artifacts.
- Map alerts and tests to T1055.012 so coverage reporting reflects the related ATT&CK technique rather than a generic malware category.
Mitigation priorities
- Prioritize endpoint visibility and retention for Windows process and memory-behavior telemetry before relying on this detection strategy operationally.
- Harden endpoint controls that limit unauthorized code execution and suspicious child-process behavior, using environment-specific policy testing.
- Review privilege boundaries and least-privilege posture because the related technique is associated with privilege escalation.
- Prepare IR procedures for isolating affected Windows hosts and collecting volatile process evidence when hollowing is suspected.
- Use detection validation results as compliance and control-efficacy evidence, noting that ATT&CK does not provide official detection logic in the supplied fields.
Analyst notes and limits
The strongest source-supported conclusion is that DET0382 is intended to detect the ATT&CK technique T1055.012 Process Hollowing on Windows. The practical defensive focus should be coverage validation: whether telemetry and playbooks can expose suspicious process-memory behavior that may not be visible through ordinary process inventory alone.
The object has no official description, no official detection text, no specified platforms on the detection strategy itself, and no supplied implementation logic. Windows relevance comes from the related T1055.012 technique. Local telemetry, tooling, and false-positive patterns must be assessed before claiming operational coverage.
Detection Strategy for Process Hollowing on Windows
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055.012 | Process Hollowing Sub-technique | This object detects Process Hollowing. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4edd27e06abb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0382Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.