Microsoft Sysmon users are getting a new update this week as part as a wider release for the Sysinternals suite. Specifically, the utility is gaining the ability to detect Process Hollowing attacks and Process Herpaderping.
If you’re unfamiliar with Sysinternals, it is a suite of applications for admins that allows them to debug Windows machines. Furthermore, users can tap into the tool to find and investigate malware attacks.
Microsoft Sysmon (System Monitor) is one of the tools with Sysinternals, joining over 160 other applications. It is perhaps the most popular app in the suite that logs system level events on a Windows computer.
These events are logged within the regular Windows event log. For example, it can log network connections, changes to files, and new processes. Many security teams use Sysmon as part of their threat mitigation arsenal, so adding two new abilities is a major update.
Specifically, Sysmon can now detect two process attacks (Hollowing and Herpaderping) that are designed to avoid detection.
The new tools are part of Microsoft Sysmon 13.00. When a Hollowing or Herpaderping attack is found, the tool will now log this malware attack. Both process attacks are filed under “EventID 25” in the system log.
Process Herpaderping is a new technique that focuses on preventing detection. It can obscure and hide the true intentions of a process by changing the content on a disk. This happens when the image has been mapped.
In a recent tweet, Microsoft’s Mark Russinovich previewed both Sysmon logs with the EventID 25 log warning. That tweet arrived last November as a teaser, but Microsoft is now rolling out the ability to Sysmon 13.00 within Sysinternals.
Tip of the day:
Do you know the built-in repair tools SFC and DISM of Windows 10? With many problems they can get you back on track without loosing data and using third-party programs. In out tutorial we show you how to use them.