Netwrix and Stealthbits merge to better secure sensitive data. LEARN MORE
Stealthbits

Detecting Advanced Process Tampering Tactics with Microsoft’s Sysmon 13

Blog >Detecting Advanced Process Tampering Tactics with Microsoft’s Sysmon 13
Detecting Advanced Process Tampering Tactics with Microsoft’s Sysmon 13
| Dan Piazza | | Leave a Comment

Sysmon is an important tool within Microsoft’s Sysinternals Suite, a comprehensive set of utilities and tools used to monitor, manage, and troubleshoot the Windows operating system.

Per Microsoft’s own definition, Sysmon “provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.”

What is Process Hollowing and Herpaderping?

Sysmon is an invaluable tool for many security researchers and admins, and with the recently released version 13 Sysmon can now specifically monitor for two advanced malware tactics: Process Hollowing and Process Herpaderping.

Process Hollowing – A malware technique used to deallocate legitimate code within a legitimate Windows process, and then replace the deallocated code with malicious code. The malicious code is now running under the guise of a legitimate Windows process.

Process Herpaderping – A malware technique used to obscure a process’ intentions by modifying its contents on disk after the image has been mapped. When viewed, the on-disk file appears as the harmless, trusted process while malicious code runs in memory.

As an example of the damage these tactics can cause, let’s say process herpaderping was employed to execute Mimikatz under a web browser’s legitimate process (E.g., Google Chrome). Not only would it appear to the OS that Google Chrome is running, rather than Mimikatz, but the process would also have a valid Google signature. Thus, Mimikatz could be run by an attacker and remain completely undetected by security software that’s not specifically monitoring for herpaderping.

With the release of Sysmon 13, both hollowing and herpaderping attacks can be detected by Sysmon and logged to the Windows Event Viewer (as EventID 25, Process Tampering).

Sysmon capturing process tampering in the Windows Event Logs - Type: Image is locked for access

Process tampering, especially herpaderping, is a powerful approach used by modern malware to evade detection. As such, the importance of Sysmon now being able to detect such attacks cannot be understated.

Configuring Sysmon 13 to Detect Process Hollowing and Herpaderping

The following steps cover a default installation of Sysmon, along with configuration of monitoring for hollowing and herpaderping. Configuration to monitor for process tampering can also be added to existing, customized Sysmon installations.

Download Sysmon, unzip its EXE (Sysmon.exe), and run the default installation in an elevated Command Prompt:

>> Sysmon.exe -i -accepteula

System Monitor v13.01 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Sysmon installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon..
Sysmon started.

This default installation’s configuration includes monitoring and logging for the following:

  • Process create (with SHA1)
  • Process terminate
  • Driver loaded
  • File creation time changed
  • RawAccessRead
  • CreateRemoteThread
  • Sysmon service state changed

In Event Viewer we can now view Sysmon logs in: Application and Services Logs/Microsoft/Windows/Sysmon/Operational

Sysmon logs in Windows Event Logs

However, this default installation doesn’t include monitoring and logging for process tampering (EventID 25). So, we’ll need to update our Sysmon configuration.

Here’s a very basic Sysmon configuration XML that includes an event filter for process tampering:

<Sysmon schemaversion="4.50">
  <EventFiltering>
	  <ProcessTampering onmatch="exclude">
	  </ProcessTampering>
  </EventFiltering>
</Sysmon>

We’ll save this XML as “Sysmon.XML” and navigate to its directory in an elevated Command Prompt. Next, we’ll load the configuration with the following command:

>> sysmon.exe -c Sysmon.xml

System Monitor v13.01 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.50
Configuration file validated.
Configuration updated.

Example of Sysmon 13 Detecting Process Herpaderping

Now let’s test our configuration using jxy-s’ herpaderping technique found here. From our earlier example, let’s execute Mimikatz under the guise of Google Chrome’s process (chrome.exe).

WARNING: Attempting process herpaderping may render target processes inoperable. Please proceed with caution and always test security and malware techniques in secure sandbox environments.

From an elevated Command Prompt, we’ll run the following from the directory containing our compiled ProcessHerpaderping.exe:

>> ProcessHerpaderping.exe mimikatz.exe "\Program Files\Google\Chrome\Application\chrome.exe"
Process Herpaderping

As a result, we’ve successfully executed mimikatz.exe from within chrome.exe (a widely trusted process) and checking the chrome.exe process shows a valid Google signature. This is the especially scary part!

Mimikatz running as chrome.exe, as a result of Process Herpaderping

Had we actually had malicious intent in an environment we want to compromise, the result would have been a successful malware attack with the potential to remain undetected for quite some time. The payload can be anything, not just Mimikatz. TrickBot, Emotet, Ryuk, Mirai, etc. Anything bad actors want to execute in your network.

However, thanks to our Sysmon 13 configuration we immediately detected this malicious activity:

Sysmon detecting Mimikatz running as chrome.exe, as a result of Process Herpaderping, in the Windows Event Logs

This is extremely valuable information, which can be forwarded to admins and Security Information and Event Management (SIEM) solutions via Windows Event Forwarding (WEF).

Process hollowing has been around for years, although herpaderping is a relatively new technique. Both can be devastating if not detected and dealt with as soon as possible, so it’s important for organizations and security vendors to be aware of and know how to detect both of these forms of process tampering.

As a final note, Sysmon can be uninstalled with the following command (in case you only ran it for testing purposes):

>> Sysmon.exe -u

System Monitor v13.01 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Stopping Sysmon.
Sysmon stopped.
Sysmon removed.
Stopping SysmonDrv.
SysmonDrv stopped.
SysmonDrv removed.
Removing service files.

About Stealthbits Technologies

IDENTIFY THREATS. SECURE DATA. REDUCE RISK.

Stealthbits Technologies, Inc. is a customer-driven cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, our highly innovative and infinitely flexible platform delivers real protection that reduces security risk, fulfills compliance requirements, and decreases operational expense.

For more information, please visit stealthbits.com.

Featured Asset

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe

DON’T MISS A POST. SUBSCRIBE TO THE BLOG!

 

Loading

© 2021 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.

FREE TRIAL