Advanced process tampering techniques: What are they and how do you detect them?

In System Monitor (Sysmon) version 13, Windows introduced the ability to detect advanced process tampering techniques such as process herpaderping and process hollowing.

Process hollowing

This is a process injection technique where a malicious code is executed within the context of a legitimate process in order to evade defense setups like IDS/IPS systems, firewalls, etc. A threat actor performs this technique by hollowing out an executable thread of a trusted process and replaces this with a malicious binary of their own. The kicker here is that the tampered process still points to a legitimate executable pathway. Process hollowing is conducted to achieve the tactical goals of Privilege Escalation and Defense Evasion.

Process herpaderping

Process Herpaderping is a relatively newly identified technique that works towards the goal of evading defenses. When a new process is created, antivirus solutions register a callback in the Windows kernel. At this point, a security product will investigate the file that was used to map the executable and conclude if execution of the process can continue. Note that this kernel callback is invoked when the initial thread is inserted, not when the process object is created. This creates a window of opportunity for the threat actor to first create the process, modify the contents, and then create the initial thread.

For example a hacker might run a Rubeus program in the space of a legitimate Firefox process. If security solutions scan processes before the creation of the initial thread, they would fail to identify the modification in the process. Sysmon 13 aims to call this herpaderping to attention through the introduction of Event ID 25.

Here's a breakdown of the steps that will lead to the generation of Event ID 25. You can use the following steps to generate the event to test if it reflects in your system.

1. A process is created in the target application using CreateProcessW (c:\windows\system32\cmd.exe).
2. Create a replacement executable using CreateFileW (c:\Windows\System32\svchost.exe).
3. Check the size of replacement executable using GetFileSize.
4. Allocate memory for the replacement executable using VirtualAlloc.
5. Read the executable file from disk using ReadFile.
6. Unmap the executable using NtUnmapViewOfSection.
7. Write the replacement executable into target application using NtWriteVirtualMemory in the native API.
8. Write the new address of the executable in the Process Environment Block and set the eax register of the primary thread to the entry point of the replacement executable.
9. Resume the thread using NtResumeThread.

The new executable then runs in the address space of the target process and waits for the target process to terminate. This will lead to the generation of Event ID 25, the description for which reads as "Image is replaced."

If you view this in the Event Viewer, these are the fields that pop up so you can dive into the forensics of it.

Stay tuned for more Sysmon Event ID updates that can help you detect more techniques hackers use to compromise your network.

Fig 1: Log360 detection of Process Tampering with Sysmon Event ID 25