Microsoft Defender for Endpoint Detects Process Hollowing but Does Not Generate Alerts
Microsoft Defender for Endpoint (MDE) has been observed detecting process hollowing activities but not generating alerts for them. In a recent test, a proof of concept in C++ targeting msedge.exe was executed on a machine with MDE. While no alert was generated, the activity was recorded in the device timeline with the message: "prog.exe used process hollowing to remotely inject itself into msedge.exe through remote thread creation". This behavior suggests that MDE has the capability to detect process hollowing but may not consider it a high-severity event by default. Process hollowing is a technique commonly used by malware to inject malicious code into legitimate processes to evade detection. The fact that MDE detects this activity is a positive sign of its capabilities. However, the lack of an alert means that security teams need to actively monitor the device timeline to catch such events. This could potentially allow malicious activity to go unnoticed if not proactively looked for. From a technical perspective, the decision to not generate an alert for process hollowing could be due to several reasons. Process hollowing can be used by both legitimate software and malware, so MDE might be designed to log the activity for further investigation rather than raising an immediate alert. Additionally, MDE might be waiting for additional context or behavior before determining the severity of the event. For cybersecurity professionals, this highlights the importance of understanding the detection and alerting mechanisms of their security tools. Security teams using MDE should consider monitoring the device timeline for process hollowing events and review their MDE configurations to see if there are options to adjust the severity level for such events. In conclusion, while MDE's detection of process hollowing is a strong feature, the lack of alerts underscores the need for active monitoring and configuration review to ensure comprehensive threat detection and response.