From 4f27bfe75813c845956dc1c2c259c929b22c5f8e Mon Sep 17 00:00:00 2001
From: sara-rn <103417144+sara-rn@users.noreply.github.com>
Date: Tue, 23 Jan 2024 10:55:34 +0100
Subject: [PATCH] Ghostly Hollowing process injection rule (#865)

* ghostly hollowing process injection rule

---------

Co-authored-by: Moritz <mr-tz@users.noreply.github.com>
---
 .../inject/process-ghostly-hollowing.yml      | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 host-interaction/process/inject/process-ghostly-hollowing.yml

diff --git a/host-interaction/process/inject/process-ghostly-hollowing.yml b/host-interaction/process/inject/process-ghostly-hollowing.yml
new file mode 100644
index 00000000..6c836708
--- /dev/null
+++ b/host-interaction/process/inject/process-ghostly-hollowing.yml
@@ -0,0 +1,26 @@
+rule:
+  meta:
+    name: process ghostly hollowing
+    namespace: host-interaction/process/inject
+    authors:
+      - sara.rincon@mandiant.com
+    scopes:
+      static: function
+      dynamic: call
+    references:
+      - https://github.com/hasherezade/transacted_hollowing/tree/main#ghostly-hollowing
+    examples:
+      - 3b2eba4789bd4a799fe18476a4d1ce9f37ecc4c202eb406e06425c7e792904ff:0x140007aa0  # open_file
+      - 3b2eba4789bd4a799fe18476a4d1ce9f37ecc4c202eb406e06425c7e792904ff:0x140007840  # delete_pending_file
+  features:
+    - or:
+      - and:
+        - operand[1].number: 0xC0110000 = DELETE | SYNCHRONIZE | GENERIC_READ | GENERIC_WRITE
+        - operand[1].number: 0x20 = FILE_SUPERSEDE | FILE_SYNCHRONOUS_IO_NONALERT
+        - or:
+          - api: NtOpenFile
+          - string: "NtOpenFile"
+      - and:
+        - api: NtWriteFile
+        - api: NtSetInformationFile
+        - api: NtCreateSection