Sysmon will log EventID 25 when a process original image is replaced in memory or on disk. This covers the technique of [Process Hollowing] (https://attack.mitre.org/techniques/T1055/012/), this is when a process is launched, then suspended and the memory for the image is unmapped and realigned to another image injected in to memory and then resumed to execute the injected image. [Process Herpaderping] (https://jxy-s.github.io/herpaderping/) is another technique that is caught by this event type, this technique works by modifying the content on disk after the image has been mapped. This capability was added in version 13.0 of Sysmon with schema 4.50.
The fields for the event are:
-
ProcessGuid -- Unique process GUID generated by Sysmon.
-
ProcessId -- Process ID represented as an integer number.
-
Image -- Full path of the executable image that was tampered with.
-
Type -- Type of process tampering (Image is locked for access, Image is replaced)
There are several programs like browsers and code development programs that trigger this event type. Since an attacker can select any process as their target it is recommended to capture all events and create an exclusion list of known programs. There is a risk that attacker will select this program for their actions but it limits greatly their capability by narrowly directing them to programs that can then be monitor for other behaviors to detect abuse on the.
Example:
Sysmon schemaversion="4.50">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessTampering onmatch="exclude">
</ProcessTampering>
</RuleGroup>
</EventFiltering>
</Sysmon>
Collect events and build a exclusion list like:
RuleGroup name=“” groupRelation=“or”>
<ProcessTampering onmatch=“exclude”>
<Image condition=“is”>C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Image>
<Image condition=“is”>C:\Program Files\Mozilla Firefox\firefox.exe</Image>
<Image condition=“is”>C:\Program Files\Mozilla Firefox\updater.exe</Image>
<Image condition=“is”>C:\Program Files\Mozilla Firefox\default-browser-agent.exe</Image>
<Image condition=“is”>C:\Program Files\Mozilla Firefox\pingsender.exe</Image>
<Image condition=“is”>C:\Program Files\Microsoft VS Code\Code.exe</Image>
<Image condition=“is”>C:\Program Files\Git\cmd\git.exe</Image>
<Image condition=“is”>C:\Program Files\Git\mingw64\bin\git.exe</Image>
<Image condition=“contains”>\software_reporter_tool.exe</Image>
<Image condition=“contains”>unknown process</Image>
</ProcessTampering>
</RuleGroup>Seems like Electron based apps like Slack, Mattermost and others also create false positives. Another thing to be awarded of that not all process hollowing techniques are detected. Some variations based on the original technique by changing some API calls and amount of the image altered are not detected. This is a perfect example as to why it is important to have additional detection controls for other action and have a layered approach to detection.