Use hollows_hunter to detect suspicious process injections.
Upload any findings to the server, including process dumps.
name: Windows.Memory.HollowsHunter
description: |
Use hollows_hunter to detect suspicious process injections.
Upload any findings to the server, including process dumps.
tools:
- name: hollows_hunter
github_project: hasherezade/hollows_hunter
github_asset_regex: hollows_hunter64.exe
serve_locally: true
precondition:
SELECT OS From info() where OS = 'windows'
sources:
- name: Output
query: |
-- Get the path to the hollows_hunter tool and a fresh temp directory.\
LET TempDir <= tempdir(remove_last=TRUE)
LET binaries <= SELECT FullPath
FROM Artifact.Generic.Utils.FetchBinary(ToolName="hollows_hunter")
-- Run the tool and relay back the output, as well as upload all the files from the tempdir.
SELECT *
FROM execve(argv=[binaries[0].FullPath,"/hooks",
"/json", "/dir", TempDir], sep="\n")
- name: Summary
query: |
LET LookupPid(pid) = SELECT Name, CommandLine, Exe FROM pslist(pid=pid)
SELECT *, LookupPid(pid=pid)[0] AS ProcessInfo
FROM foreach(row=parse_json(
data=read_file(filename=TempDir + "/summary.json")).suspicious)
- name: Uploads
query: |
SELECT upload(file=FullPath) AS Upload
FROM glob(globs="*", root=TempDir)