Microsoft updates Sysmon to better defend against malware attacks

Get a free Techzine subscription!

This latest update is notable in helping admins defend against malware attacks.

Microsoft has announced a new release of their Sysinternals package. As part of the release, they have updated the Sysmon utility with the ability to detect Process Herpaderping and Process Hollowing attacks.

Sysmon (System Monitor) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, admins can identify malicious or anomalous activity and understand how intruders and malware operate on theirnetwork.

Stopping Process Herpaderpering and Process Hollowing

According to Microsoft, this update to Sysmon adds a process image tampering event (EventID 25). This event reports when the mapped image of a process doesn’t match the on-disk image file.

It also reports when the image file is locked for exclusive access. These indicators are triggered by Process Hollowing and Process Herpaderping.

Process Herpaderping is a new attack method. Using this method, malware can hide the intentions of a process by modifying its content on disk. This in turn allows it to pass malicious code in apps that security software designates as safe.

Process Hollowing is where malware suspends a legitimate application’s process, then “hollows” its content. The malware then injects its own malicious code, which is subsequently executed from the trusted service.

This update is notable as it is the first time Microsdoft has added support for detecting Process Herpaderping. This is important, as many security analysts expect to see an increase tin these types of attacks in the future.