MITRE ATT&CK Technique
Defense Evasion T1093
Description

Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. (Citation: Leitch Hollowing) (Citation: Elastic Process Injection July 2017)

Supported Platforms
Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2017-05-31T21:31:09.815Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Process hollowing occurs when a process is created in a '
                'suspended state then its memory is unmapped and replaced with '
                'malicious code. Similar to [Process '
                'Injection](https://attack.mitre.org/techniques/T1055), '
                'execution of the malicious code is masked under a legitimate '
                'process and may evade defenses and detection analysis. '
                '(Citation: Leitch Hollowing) (Citation: Elastic Process '
                'Injection July 2017)',
 'external_references': [{'external_id': 'T1093',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1093'},
                         {'description': 'Leitch, J. (n.d.). Process '
                                         'Hollowing. Retrieved November 12, '
                                         '2014.',
                          'source_name': 'Leitch Hollowing',
                          'url': 'http://www.autosectools.com/process-hollowing.pdf'},
                         {'description': 'Hosseini, A. (2017, July 18). Ten '
                                         'Process Injection Techniques: A '
                                         'Technical Survey Of Common And '
                                         'Trending Process Injection '
                                         'Techniques. Retrieved December 7, '
                                         '2017.',
                          'source_name': 'Elastic Process Injection July 2017',
                          'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'}],
 'id': 'attack-pattern--1c338d0f-a65e-4073-a5c1-c06878849f21',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:48:28.786Z',
 'name': 'Process Hollowing',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About