Security News > 2021 > January > Microsoft Sysmon now detects malware process tampering attempts
Microsoft has released Sysmon 13 with a new security feature that detects if a process has been tampered using process hollowing or process herpaderping techniques.
Process hollowing is when malware launches a legitimate process in a suspended state and replaces legitimate code in the process with malicious code.
Process herpaderping is a more advanced technique where malware modifies its image on the disk to look like legitimate software after the malware is loaded.
Numerous malware infections use process tampering techniques to evade detection, including the Mailto/defray777 ransomware, TrickBot, and BazarBackdoor.
Sysmon will just monitor basic events such as process creation and file time changes without a configuration file.
With the ProcessTampering feature enabled, when process hollowing or process herpaderping is detected, Sysmon will generate an 'Event 25 - Process Tampering' entry in Event Viewer.