HackTool - HollowReaper Execution

Rule Info

Name
HackTool - HollowReaper Execution
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
Reference
https://github.com/vari-sh/RedTeamGrimoire/tree/b5e7635d34db6e1f0398d8847e8f293186e947c5/HollowReaper
Date
2025-07-01 00:00:00
Modified
None
Id
85d23b42-9a9d-4f8f-b3d7-d2733c1d58f5
Tags
attack.defense-evasion attack.t1055.012
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=85d23b42-9a9d-4f8f-b3d7-d2733c1d58f5

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5509 from @swachchhanda000 - Doppelganger Cloning and Dumping LSASS
2025-07-03
2845e845e
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022