Sysmon is an important tool within Microsoft’s Sysinternals Suite, a comprehensive set of utilities and tools used to monitor, manage, and troubleshoot the Windows operating system.
Per Microsoft’s own definition, Sysmon “provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.”
Sysmon is an invaluable tool for many security researchers and admins, and with the recently released version 13 Sysmon can now specifically monitor for two advanced malware tactics: Process Hollowing and Process Herpaderping.
Process Hollowing – A malware technique used to deallocate legitimate code within a legitimate Windows process, and then replace the deallocated code with malicious code. The malicious code is now running under the guise of a legitimate Windows process.
Process Herpaderping – A malware technique used to obscure a process’ intentions by modifying its contents on disk after the image has been mapped. When viewed, the on-disk file appears as the harmless, trusted process while malicious code runs in memory.
As an example of the damage these tactics can cause, let’s say process herpaderping was employed to execute Mimikatz under a web browser’s legitimate process (E.g., Google Chrome). Not only would it appear to the OS that Google Chrome is running, rather than Mimikatz, but the process would also have a valid Google signature. Thus, Mimikatz could be run by an attacker and remain completely undetected by security software that’s not specifically monitoring for herpaderping.
With the release of Sysmon 13, both hollowing and herpaderping attacks can be detected by Sysmon and logged to the Windows Event Viewer (as EventID 25, Process Tampering).
Process tampering, especially herpaderping, is a powerful approach used by modern malware to evade detection. As such, the importance of Sysmon now being able to detect such attacks cannot be understated.
The following steps cover a default installation of Sysmon, along with configuration of monitoring for hollowing and herpaderping. Configuration to monitor for process tampering can also be added to existing, customized Sysmon installations.
Download Sysmon, unzip its EXE (Sysmon.exe), and run the default installation in an elevated Command Prompt:
>> Sysmon.exe -i -accepteula System Monitor v13.01 - System activity monitor Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier Sysinternals - www.sysinternals.com Sysmon installed. SysmonDrv installed. Starting SysmonDrv. SysmonDrv started. Starting Sysmon.. Sysmon started.
This default installation’s configuration includes monitoring and logging for the following:
In Event Viewer we can now view Sysmon logs in: Application and Services Logs/Microsoft/Windows/Sysmon/Operational
However, this default installation doesn’t include monitoring and logging for process tampering (EventID 25). So, we’ll need to update our Sysmon configuration.
Here’s a very basic Sysmon configuration XML that includes an event filter for process tampering:
<Sysmon schemaversion="4.50"> <EventFiltering> <ProcessTampering onmatch="exclude"> </ProcessTampering> </EventFiltering> </Sysmon>
We’ll save this XML as “Sysmon.XML” and navigate to its directory in an elevated Command Prompt. Next, we’ll load the configuration with the following command:
>> sysmon.exe -c Sysmon.xml System Monitor v13.01 - System activity monitor Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier Sysinternals - www.sysinternals.com Loading configuration file with schema version 4.50 Configuration file validated. Configuration updated.
Now let’s test our configuration using jxy-s’ herpaderping technique found here. From our earlier example, let’s execute Mimikatz under the guise of Google Chrome’s process (chrome.exe).
WARNING: Attempting process herpaderping may render target processes inoperable. Please proceed with caution and always test security and malware techniques in secure sandbox environments.
From an elevated Command Prompt, we’ll run the following from the directory containing our compiled ProcessHerpaderping.exe:
>> ProcessHerpaderping.exe mimikatz.exe "\Program Files\Google\Chrome\Application\chrome.exe"
As a result, we’ve successfully executed mimikatz.exe from within chrome.exe (a widely trusted process) and checking the chrome.exe process shows a valid Google signature. This is the especially scary part!
Had we actually had malicious intent in an environment we want to compromise, the result would have been a successful malware attack with the potential to remain undetected for quite some time. The payload can be anything, not just Mimikatz. TrickBot, Emotet, Ryuk, Mirai, etc. Anything bad actors want to execute in your network.
However, thanks to our Sysmon 13 configuration we immediately detected this malicious activity:
This is extremely valuable information, which can be forwarded to admins and Security Information and Event Management (SIEM) solutions via Windows Event Forwarding (WEF).
Process hollowing has been around for years, although herpaderping is a relatively new technique. Both can be devastating if not detected and dealt with as soon as possible, so it’s important for organizations and security vendors to be aware of and know how to detect both of these forms of process tampering.
As a final note, Sysmon can be uninstalled with the following command (in case you only ran it for testing purposes):
>> Sysmon.exe -u System Monitor v13.01 - System activity monitor Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier Sysinternals - www.sysinternals.com Stopping Sysmon. Sysmon stopped. Sysmon removed. Stopping SysmonDrv. SysmonDrv stopped. SysmonDrv removed. Removing service files.
IDENTIFY THREATS. SECURE DATA. REDUCE RISK.
Stealthbits Technologies, Inc. is a customer-driven cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, our highly innovative and infinitely flexible platform delivers real protection that reduces security risk, fulfills compliance requirements, and decreases operational expense.
For more information, please visit stealthbits.com.
Dan Piazza is a Technical Product Manager at Stealthbits, now part of Netwrix, responsible for PAM, file systems auditing and sensitive data auditing solutions. He has worked in technical roles since 2013, with a passion for cybersecurity, data protection, automation, and code. Prior to his current role he worked as a Product Manager and Systems Engineer for a data storage software company, managing and implementing both software and hardware B2B solutions.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.