Sysmon 13, released by Microsoft products has a new security feature that detects if a process has been affected by malware.
One of the techniques followed by hackers, is to introduce malicious code into a legal process of Windows, to avoid detection. This tactic allows malware to run, but Task Manager detects it as a standard Windows process running in the background.
The technique Hollowing, starts with a legal procedure in a state of suspension, which then replaces the legal code with malicious. This malicious code is then executed by the process, with any rights assigned to the process.
The process herpaderping is a more advanced technique, where the malware modifies its disk image to look like legitimate software after loading the malware. When the security software scans the file on disk, it will see a harmless file while the malicious code is running in memory.
Many known malware use similar techniques to avoid detection, including Mailto / defray777 ransomware, TrickBot and BazarBackdoor.
If you are not familiar with it sysmon or the System Monitor, This is a tool of Sysinternals Designed to monitor malicious systems and record these events in the Windows event log.
You can download Sysmon from the Sysinternal page or https://live.sysinternals.com/sysmon.exe.
To enable breach detection, administrators must add the configuration option "ProcessTampering»In a configuration file. Sysmon will simply keep track of key events, such as process creation and file time changes without a configuration file.
This new instruction has been added to Sysmοn 4.50, which can be viewed by running the command sysmon -s.
Once started, the program will install the driver and start collecting data quietly in the background.
All Sysmon events will be recorded in "Applications and Services Logs / Microsoft / Windows / Sysmon / Operational»In the Event Viewer.
With ProcessTampering enabled when Hollowing or herpaderping is detected, Sysmon will create an "Event 25 - Process Tampering" entry in Event Viewer.
To learn more about Sysmon, visit its website Sysinternals and try out the various configuration options it offers.