Sysmon is an important tool within Microsoft’s Sysinternals Suite, a comprehensive set of utilities and tools used to monitor, manage, and troubleshoot the Windows operating system.
Per Microsoft’s own definition, Sysmon “provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.”
What is Process Hollowing and Herpaderping?
Sysmon is an invaluable tool for many security researchers and admins, and with the recently released version 13 Sysmon can now specifically monitor for two advanced malware tactics: Process Hollowing and Process Herpaderping.
Process Hollowing – A malware technique used to deallocate legitimate code within a legitimate Windows process, and then replace the deallocated code with malicious code. The malicious code is now running under the guise of a legitimate Windows process.
Process Herpaderping – A malware technique used to obscure a process’ intentions by modifying its contents on disk after the image has been mapped. When viewed, the on-disk file appears as the harmless, trusted process while malicious code runs in memory.
As an example of the damage these tactics can cause, let’s say process herpaderping was employed to execute Mimikatz under a web browser’s legitimate process (E.g., Google Chrome). Not only would it appear to the OS that Google Chrome is running, rather than Mimikatz, but the process would also have a valid Google signature. Thus, Mimikatz could be run by an attacker and remain completely undetected by security software that’s not specifically monitoring for herpaderping.
With the release of Sysmon 13, both hollowing and herpaderping attacks can be detected by Sysmon and logged to the Windows Event Viewer (as EventID 25, Process Tampering).
Process tampering, especially herpaderping, is a powerful approach used by modern malware to evade detection. As such, the importance of Sysmon now being able to detect such attacks cannot be understated.
Configuring Sysmon 13 to Detect Process Hollowing and Herpaderping
The following steps cover a default installation of Sysmon, along with configuration of monitoring for hollowing and herpaderping. Configuration to monitor for process tampering can also be added to existing, customized Sysmon installations.
Download Sysmon, unzip its EXE (Sysmon.exe), and run the default installation in an elevated Command Prompt:
>> Sysmon.exe -i -accepteula
System Monitor v13.01 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com
Sysmon installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon..
Sysmon started.
This default installation’s configuration includes monitoring and logging for the following:
- Process create (with SHA1)
- Process terminate
- Driver loaded
- File creation time changed
- RawAccessRead
- CreateRemoteThread
- Sysmon service state changed
In Event Viewer we can now view Sysmon logs in: Application and Services Logs/Microsoft/Windows/Sysmon/Operational
However, this default installation doesn’t include monitoring and logging for process tampering (EventID 25). So, we’ll need to update our Sysmon configuration.
Here’s a very basic Sysmon configuration XML that includes an event filter for process tampering:
<Sysmon schemaversion="4.50">
<EventFiltering>
<ProcessTampering onmatch="exclude">
</ProcessTampering>
</EventFiltering>
</Sysmon>
We’ll save this XML as “Sysmon.XML” and navigate to its directory in an elevated Command Prompt. Next, we’ll load the configuration with the following command:
>> sysmon.exe -c Sysmon.xml
System Monitor v13.01 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com
Loading configuration file with schema version 4.50
Configuration file validated.
Configuration updated.
Example of Sysmon 13 Detecting Process Herpaderping
Now let’s test our configuration using jxy-s’ herpaderping technique found here. From our earlier example, let’s execute Mimikatz under the guise of Google Chrome’s process (chrome.exe).
WARNING: Attempting process herpaderping may render target processes inoperable. Please proceed with caution and always test security and malware techniques in secure sandbox environments.
From an elevated Command Prompt, we’ll run the following from the directory containing our compiled ProcessHerpaderping.exe:
>> ProcessHerpaderping.exe mimikatz.exe "\Program Files\Google\Chrome\Application\chrome.exe"
As a result, we’ve successfully executed mimikatz.exe from within chrome.exe (a widely trusted process) and checking the chrome.exe process shows a valid Google signature. This is the especially scary part!
Had we actually had malicious intent in an environment we want to compromise, the result would have been a successful malware attack with the potential to remain undetected for quite some time. The payload can be anything, not just Mimikatz. TrickBot, Emotet, Ryuk, Mirai, etc. Anything bad actors want to execute in your network.
However, thanks to our Sysmon 13 configuration we immediately detected this malicious activity:
This is extremely valuable information, which can be forwarded to admins and Security Information and Event Management (SIEM) solutions via Windows Event Forwarding (WEF).
Process hollowing has been around for years, although herpaderping is a relatively new technique. Both can be devastating if not detected and dealt with as soon as possible, so it’s important for organizations and security vendors to be aware of and know how to detect both of these forms of process tampering.
As a final note, Sysmon can be uninstalled with the following command (in case you only ran it for testing purposes):
>> Sysmon.exe -u
System Monitor v13.01 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com
Stopping Sysmon.
Sysmon stopped.
Sysmon removed.
Stopping SysmonDrv.
SysmonDrv stopped.
SysmonDrv removed.
Removing service files.
About Stealthbits Technologies
IDENTIFY THREATS. SECURE DATA. REDUCE RISK.
Stealthbits Technologies, Inc. is a customer-driven cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, our highly innovative and infinitely flexible platform delivers real protection that reduces security risk, fulfills compliance requirements, and decreases operational expense.
For more information, please visit stealthbits.com.
Dan Piazza is a Technical Product Manager at Stealthbits, now part of Netwrix, responsible for PAM, file systems auditing and sensitive data auditing solutions. He has worked in technical roles since 2013, with a passion for cybersecurity, data protection, automation, and code. Prior to his current role he worked as a Product Manager and Systems Engineer for a data storage software company, managing and implementing both software and hardware B2B solutions.
Related Posts
- Leveraging OpenSSH to Move Files in Windows Server 2019
- What Comes After the FireEye Attack
- Giving Back while Safeguarding Schools in the Age of COVID-19
- Malware’s Growth During the COVID-19 Pandemic
- PostgreSQL Server Security Primer
- What is an Insider Threat?
- Top Data Breaches of 2020
- What is Privacy by Design?
- Data Privacy Essentials: #1 – Don’t Put Your Data at Risk. #2 – Don’t Forget #1
- Data Privacy and Security are Two Sides of the Same Coin
Leave a Reply