Microsoft has released a new version of the Sysinternals package and updated the Sysmon utility with the ability to detect Process Herpaderping and Process Hollowing attacks.
Sysinternals is a collection of apps designed to help system administrators debug Windows computers or help security researchers track down and investigate malware attacks.
The Sysinternals package comes with more than 160 different apps, each useful for a particular task.
One of the most widely used Sysinternal apps is called Sysmon, or System Monitor, which works by logging system-level events (process creations, network connections, and changes to file creation time) to the default Windows event log.
Across the years, the tool has become a must-have for all security researchers, either if they’re involved in defending networks or performing digital forensics and incident response (DFIR) operations. This is because Sysmon allows them to record in-depth logs and then trace the roots of malicious attacks to specific processes and apps.
With today’s release of Sysmon 13.00, Microsoft says that the Sysmon app can now detect and log when malware tampers with a legitimate process.
When this happens, the Sysmon utility will create an alert in the Windows event log with the “EventID 25” identifier. System administrators and security researchers can then scan for this ID and detect what process a malware attack tried to modify.
Microsoft says that under the hood, the new Sysmon EventID 25 triggers “when the mapped image of a process doesn’t match the on-disk image file, or the image file is locked for exclusive access.”
Process Herpaderping is a relatively new technique that was first detailed last year and which describes a method that malware can use to hide the intentions of a process by modifying its content on disk after the image has been mapped, allowing it to pass malicious code in apps that security software designates as safe.
Process Hollowing is an older technique that works the same, but during which malware suspends a legitimate application’s process, “hollows” its content, and then injects its own malicious code to be executed from the trusted service.
While other tools in the Sysinternals package have been used in previous years to detect process hollowing attacks, this marks the first time that support has been added for detecting the newer Process Herpaderping technique, which many security researchers expect to see being used in the wild in the coming years.
Previews of both Sysmon EventID 25 warnings are available below from Mark Russinovich, one of the Sysinternals co-creators, who previewed them last year on Twitter. A deep dive into the new Sysmon 13.00 release and its support for detecting Process Herpaderping and Process Hollowing attacks is available here, from security researcher Olaf Hartong.