Windows.Memory.HollowsHunter

Use hollows_hunter to detect suspicious process injections.

Upload any findings to the server, including process dumps.


name: Windows.Memory.HollowsHunter
description: |
   Use hollows_hunter to detect suspicious process injections.

   Upload any findings to the server, including process dumps.

tools:
 - name: hollows_hunter
   github_project: hasherezade/hollows_hunter
   github_asset_regex: hollows_hunter64.exe
   serve_locally: true

precondition:
   SELECT OS From info() where OS = 'windows'
   
sources:
  - name: Output
    query: |
      -- Get the path to the hollows_hunter tool and a fresh temp directory.\
      LET TempDir <= tempdir(remove_last=TRUE)
      LET binaries <= SELECT FullPath
      FROM Artifact.Generic.Utils.FetchBinary(ToolName="hollows_hunter")

      -- Run the tool and relay back the output, as well as upload all the files from the tempdir.
      SELECT *
      FROM execve(argv=[binaries[0].FullPath,"/hooks",
           "/json", "/dir", TempDir], sep="\n")
           
  - name: Summary
    query: |
      LET LookupPid(pid) = SELECT Name, CommandLine, Exe FROM pslist(pid=pid)

      SELECT *, LookupPid(pid=pid)[0] AS ProcessInfo
      FROM foreach(row=parse_json(
            data=read_file(filename=TempDir + "/summary.json")).suspicious)  
            
  - name: Uploads
    query: |
      SELECT upload(file=FullPath) AS Upload
      FROM glob(globs="*", root=TempDir)