In System Monitor (Sysmon) version 13, Windows introduced the ability to detect advanced process tampering techniques such as process herpaderping and process hollowing.

Process hollowing

This is a process injection technique where a malicious code is executed within the context of a legitimate process in order to evade defense setups like IDS/IPS systems, firewalls, etc. A threat actor performs this technique by hollowing out an executable thread of a trusted process and replaces this with a malicious binary of their own. The kicker here is that the tampered process still points to a legitimate executable pathway. Process hollowing is conducted to achieve the tactical goals of Privilege Escalation and Defense Evasion.

Process herpaderping

Process Herpaderping is a relatively newly identified technique that works towards the goal of evading defenses. When a new process is created, antivirus solutions register a callback in the Windows kernel. At this point, a security product will investigate the file that was used to map the executable and conclude if execution of the process can continue. Note that this kernel callback is invoked when the initial thread is inserted, not when the process object is created. This creates a window of opportunity for the threat actor to first create the process, modify the contents, and then create the initial thread.

For example a hacker might run a Rubeus program in the space of a legitimate Firefox process. If security solutions scan processes before the creation of the initial thread, they would fail to identify the modification in the process. Sysmon 13 aims to call this herpaderping to attention through the introduction of Event ID 25.

Here's a breakdown of the steps that will lead to the generation of Event ID 25. You can use the following steps to generate the event to test if it reflects in your system.

  1. A process is created in the target application using CreateProcessW (c:\windows\system32\cmd.exe).
  2. Create a replacement executable using CreateFileW (c:\Windows\System32\svchost.exe).
  3. Check the size of replacement executable using GetFileSize.
  4. Allocate memory for the replacement executable using VirtualAlloc.
  5. Read the executable file from disk using ReadFile.
  6. Unmap the executable using NtUnmapViewOfSection.
  7. Write the replacement executable into target application using NtWriteVirtualMemory in the native API.
  8. Write the new address of the executable in the Process Environment Block and set the eax register of the primary thread to the entry point of the replacement executable.
  9. Resume the thread using NtResumeThread.

The new executable then runs in the address space of the target process and waits for the target process to terminate. This will lead to the generation of Event ID 25, the description for which reads as "Image is replaced."

If you view this in the Event Viewer, these are the fields that pop up so you can dive into the forensics of it.

Field Description
UtcTime Time in UTC when the event was created
ProcessGuid Process GUID of the process that was tampered with
ProcessId Process ID used by the OS to identify the process that was tampered with
Image File path of the process that was tampered with
Type The type of tampering detected
User The name of the account in which the process tampered with runs

Stay tuned for more Sysmon Event ID updates that can help you detect more techniques hackers use to compromise your network.

Fig 1: Log360 detection of Process Tampering with Sysmon Event ID 25
Fig 1: Log360 detection of Process Tampering with Sysmon Event ID 25

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
  •  
  •  
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks

     
     

© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.