Microsoft Rolled Out Sysmon v13 to Detect Malware in Legitimate Process

Sysmon, a tool used for detecting the tampered processes in Windows machines now gains support for spotting the Process Hollowing and Process Herpadering. Adding this to a configuration file means, it can then detect any malware that tampered with the legitimate process, or replaced it completely.

Microsoft Sysmon 13 Released

Sysmon (or system monitor) is a monitoring service in Windows that helps users to detect the malware processes happening in the system. These alterations if two types – Process Hollowing and Process Herpadering.

Microsoft Rolled Out Sysmon v13 to Detect Malware

The former one is about exploiting legitimate software by replacing their code with malicious ones and executing them as general. And the latter one is about completely replacing the image of a legitimate software (process) with the malicious one. All these are done to evade detection since general antivirus software skips legitimate processes in their scans.

Malicious processes using either of these techniques will be running in the background, like in Task Manager, thus aren’t bothered much by users. Few threat actors using such techniques are TrickBot, Mailto/defray777 ransomware group, and Bazar loader.

So, using tools like Sysmon helps users to learn about any alterations made to the legitimate processes. Sysmon monitors and logs all the events data like when the process was launched and what all it’s doing in specific timestamps to a file, that is readable.

Enabling this new update is simple, as all you need to do is adding a ‘ProcessTampering’ configuration option to a configuration file. All the logs can then be viewed by typing “sysmon -s” command since it’s added to the Sysmon 4.50 schema.

If you’re not having a configuration file to setup, try this, as noted by BleepingComputer;

<Sysmon schemaversion="4.50">
    <RuleGroup name="" groupRelation="or">
      <ProcessTampering onmatch="exclude">

Now, you should be directing the Sysmon to use the above configuration file. For this, execute “sysmon -i” command along with the configuration file’s name. Taking
sysmon.conf” as an example file, here’s how it should go;

sysmon -i sysmon.conf

That’s it. Sysmon will then install its driver and start collecting the data in the background. All the events will be stored in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational in the Event Viewer.

Leave a Comment