Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing - Microsoft Security Blog
Tags
cmtmf-attack-pattern: Code Injection Process Injection
maec-delivery-vectors: Watering Hole
attack-pattern: Data Models Asynchronous Procedure Call - T1055.004 Code Injection - T1540 Credentials - T1589.001 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Mshta - T1218.005 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Regsvr32 - T1218.010 Software - T1592.002 Mshta - T1170 Powershell - T1086 Process Hollowing - T1093 Process Injection - T1055 Regsvr32 - T1117
Show in Graph
Common Information
Type Value
UUID 435bf0bf-7c22-496c-82c3-62fb0c16dfe7
Fingerprint 5c9009353974564b
Analysis status DONE
Considered CTI value 0
Text language
Published July 12, 2017, 5:19 p.m.
Added to db Jan. 18, 2023, 9:19 p.m.
Last updated Nov. 17, 2024, 6:55 p.m.
Headline Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing
Title Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing - Microsoft Security Blog
Detected Hints/Tags/Attributes 59/3/7
Source URLs
Redirection Url
Details Source https://cloudblogs.microsoft.com/microsoftsecure/2017/07/12/detecting-stealthier-cross-process-injection-techniques-with-windows-defender-atp-process-hollowing-and-atom-bombing/
URL Provider
Details Provider Source level domain
Details microsoft.com cloudblogs.microsoft.com
Attributes
Details Type #Events CTI Value
Details File 478 
lsass.exe
Details File 456 
mshta.exe
Details File 291 
user32.dll
Details Windows Registry Key 112 
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Details File 1260 
explorer.exe
Details File 459 
regsvr32.exe
Details File 1122 
svchost.exe