Detectionhighexperimental

HackTool - HollowReaper Execution

Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Tue Jul 0185d23b42-9a9d-4f8f-b3d7-d2733c1d58f5windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\HollowReaper.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0005 · Defense Evasion

Sub-techniques

T1055.012 · Process Hollowing

Rule Metadata

Rule ID

85d23b42-9a9d-4f8f-b3d7-d2733c1d58f5

Status

experimental

Level

high

Type

Detection

Created

Tue Jul 01

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml

Raw Tags

attack.privilege-escalationattack.defense-evasionattack.t1055.012

View on GitHub