Security News > 2021 > January > Microsoft Sysmon now detects malware process tampering attempts
Microsoft has released Sysmon 13 with a new security feature that detects if a process has been tampered using process hollowing or process herpaderping techniques.
Process hollowing is when malware launches a legitimate process in a suspended state and replaces legitimate code in the process with malicious code.
Process herpaderping is a more advanced technique where malware modifies its image on the disk to look like legitimate software after the malware is loaded.
Numerous malware infections use process tampering techniques to evade detection, including the Mailto/defray777 ransomware, TrickBot, and BazarBackdoor.
Sysmon will just monitor basic events such as process creation and file time changes without a configuration file.
With the ProcessTampering feature enabled, when process hollowing or process herpaderping is detected, Sysmon will generate an 'Event 25 - Process Tampering' entry in Event Viewer.
News URL
Related news
- New Microsoft script updates Windows media with bootkit malware fixes (source)
- Microsoft says attackers use exposed ASP.NET keys to deploy malware (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft spots XCSSET macOS malware variant used for crypto theft (source)
- Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics (source)
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (source)
- Microsoft admits GitHub hosted malware that infected almost a million devices (source)