Behavior:Win32/ProcessHijack is a generic, heuristic EDR/AV detection for malware that employs advanced 'Defense Evasion' techniques—specifically Process Injection or Process Hollowing—to hide malicious code within the memory space of a legitimate Windows process.
Understanding Process Hijacking
To an end-user, this behavior is invisible. For incident responders, a 'ProcessHijack' alert is a critical, high-severity warning. It indicates that malware is actively attempting to bypass application whitelisting and endpoint firewalls. Instead of running as malware.exe, the threat allocates memory inside a trusted process (like explorer.exe, svchost.exe, or notepad.exe), writes its malicious code into that space, and creates a remote thread to execute it. This allows the malware's network traffic and file system access to appear as if it is coming from the trusted Windows process.
Execution and Threat Hunting
This technique is utilized by almost all advanced malware, including ransomware, banking trojans, and state-sponsored RATs. In 'Process Hollowing' (a specific type of hijacking), the malware launches a legitimate process in a suspended state, unmaps (hollows out) its legitimate code from memory, replaces it with the malicious payload, and resumes the thread. Threat hunters must look beyond file-based scanning. EDR platforms detect this by monitoring for anomalous API calls like VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.
Forensic Analysis & Impact
The impact depends entirely on the injected payload, but the presence of this technique guarantees a sophisticated attacker. Incident responders must perform live memory forensics. Dumping the memory of the hijacked process is the only way to extract the unencrypted, actively running malware payload, as it often never touches the disk.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1055.012 | Process Injection: Process Hollowing | Defense Evasion |
T1055.001 | Process Injection: Dynamic-link Library Injection | Defense Evasion |
T1055.002 | Process Injection: Portable Executable Injection | Defense Evasion |
T1106 | Native API | Execution |
T1562.001 | Impair Defenses: Disable or Modify Tools | Defense Evasion |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_PROCESSHIJACK {
meta:
description = "Detects Processhijack (trojan_generic)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "processhijack" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Processhijack Activity
id: 852ad7509bb3605467933ed3efff756b
status: experimental
description: Detects generic indicators of the processhijack malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*processhijack*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/processhijack.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.