|
| 1 | +Process Tampering |
| 2 | +----------------- |
| 3 | + |
| 4 | +Sysmon will log **EventID 25** when a process original image is replaced in memory or on disk. This covers the technique of [Process Hollowing](https://attack.mitre.org/techniques/T1055/012/), this is when a process is launched, then suspended and the memory for the image is unmapped and realigned to another image injected in to memory and then resumed to execute the injected image. [Process Herpaderping](https://jxy-s.github.io/herpaderping/) is another technique that is caught by this event type, this technique works by modifying the content on disk after the image has been mapped. This capability was added in version 13.0 of Sysmon with schema 4.50. |
| 5 | + |
| 6 | +The fields for the event are: |
| 7 | + |
| 8 | +* **ProcessGuid** -- Unique process GUID generated by Sysmon. |
| 9 | + |
| 10 | +* **ProcessId** -- Process ID represented as a integer number. |
| 11 | + |
| 12 | +* **Image** -- Full path of the executable image that was tampered with. |
| 13 | + |
| 14 | +* **Type** -- Type of process tampering (Image is locked for access, Image is replaced) |
| 15 | + |
| 16 | +There are several programs like browsers and code development programs that trigger this event type. Since a attacker can select any process as their target it is reocmended to capture all events and create a exclusion list of known programs. There is a risk that attacker will select this programs for their actions but it limits greatly their capability by norrowly directing them to programs that can then be monitor for other behaviours to detect abuse on the. |
| 17 | + |
| 18 | +Example: |
| 19 | + |
| 20 | +```xml |
| 21 | +Sysmon schemaversion="4.50"> |
| 22 | + <EventFiltering> |
| 23 | + <RuleGroup name="" groupRelation="or"> |
| 24 | + <ProcessTampering onmatch="exclude"> |
| 25 | + </ProcessTampering> |
| 26 | + </RuleGroup> |
| 27 | + </EventFiltering> |
| 28 | +</Sysmon> |
| 29 | + |
| 30 | +``` |
| 31 | + |
| 32 | +Collect events and build a exclusion list like: |
| 33 | + |
| 34 | +```xml |
| 35 | +RuleGroup name=“” groupRelation=“or”> |
| 36 | + <ProcessTampering onmatch=“exclude”> |
| 37 | + <Image condition=“is”>C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Image> |
| 38 | + <Image condition=“is”>C:\Program Files\Mozilla Firefox\firefox.exe</Image> |
| 39 | + <Image condition=“is”>C:\Program Files\Mozilla Firefox\updater.exe</Image> |
| 40 | + <Image condition=“is”>C:\Program Files\Mozilla Firefox\default-browser-agent.exe</Image> |
| 41 | + <Image condition=“is”>C:\Program Files\Mozilla Firefox\pingsender.exe</Image> |
| 42 | + <Image condition=“is”>C:\Program Files\Microsoft VS Code\Code.exe</Image> |
| 43 | + <Image condition=“is”>C:\Program Files\Git\cmd\git.exe</Image> |
| 44 | + <Image condition=“is”>C:\Program Files\Git\mingw64\bin\git.exe</Image> |
| 45 | + <Image condition=“contains”>\software_reporter_tool.exe</Image> |
| 46 | + <Image condition=“contains”>unknown process</Image> |
| 47 | + </ProcessTampering> |
| 48 | +</RuleGroup> |
| 49 | +``` |
| 50 | + |
| 51 | +Seems like Electron based apps like Slack, Mattermost and others also create false positives. |
| 52 | + |
0 commit comments