The new version of Sysmon 13 is capable of detecting malicious code that uses methods to bypass security solutions.
Microsoft has released another version of its Sysmon 13 utility with a new security feature that detects tampering with Windows processes using the process hollowing and process herpaderping methods.
To bypass detection by security solutions, cyber criminals often inject their malicious code into legitimate Windows processes. This allows malware to run, but only legitimate Windows processes running in the background will be displayed in the task manager.
To interfere with Windows processes, malware uses the process hollowing and process herpaderping methods. The process hollowing technique is as follows: malware starts a legitimate process in a suspended state and replaces the legitimate code with malicious code in the process. The malware is then executed by a process with the same privileges as the given process.
The process herpaderping technique is somewhat more complex than process hollowing. Malicious software modifies its disk image to impersonate legitimate software. When the antivirus solution scans this file on disk, it will not detect anything dangerous, but it will run malware in memory.
Many malware uses tampering techniques to bypass detection by security solutions. These include, in particular, the ransomware Mailto / defray777, TrickBot and BazarBackdoor.
Sysmon (System Monitor) is a Sysinternals tool for monitoring systems for malicious activity and writing it to the Windows event log. The new version of the utility has a function for detecting tampering with Windows processes.