fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Sysmon Now Detects Malware Process Tampering Attempts

Microsoft Sysmon Now Detects Malware Process Tampering Attempts

Microsoft has released Sysmon 13 with a new security feature that detects if a process has been tampered using process hollowing or process herpaderping techniques.

To evade detection by security software, threat actors inject malicious code into a legitimate Windows process. This tactic allows the malware to execute, but in Task Manager, it appears as a standard Windows process running in the background.

Process hollowing is when malware launches a legitimate process in a suspended state and replaces legitimate code in the process with malicious code. This malicious code is then executed by the process, with whatever permissions are assigned to the process.

Process herpaderping is a more advanced technique where malware modifies its image on the disk to look like legitimate software after the malware is loaded. When security software scans the on-disk file, it will see a harmless file while the malicious code runs in memory.

Numerous malware infections use process tampering techniques to evade detection, including the Mailto/defray777 ransomwareTrickBot, and BazarBackdoor.

Also Read: Website Ownership Laws: Your Rights And What These Protect

Enabling process tampering in Sysmon v13

To enable the process tampering detection feature, administrators need to add the ‘ProcessTampering’ configuration option to a configuration file. Sysmon will just monitor basic events such as process creation and file time changes without a configuration file.

This new directive has been added to the Sysmon 4.50 schema, which can be viewed by running the sysmon -s command.

For a very basic setup that will enable process tampering detection, you can use the configuration file below:


<Sysmon schemaversion="4.50">
  <EventFiltering>
    <RuleGroup name="" groupRelation="or">
      <ProcessTampering onmatch="exclude">
      </ProcessTampering>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

To start Sysmon and direct it to use the above configuration file, you would execute the sysmon -i and pass the configuration file’s name. In our example, the configuration file’s name is sysmon.conf, so we would use the following command.

sysmon -i sysmon.conf

Once started, Sysmon will install its driver and begin collecting data quietly in the background.

All Sysmon events will be logged to ‘Applications and Services Logs/Microsoft/Windows/Sysmon/Operational‘ in the Event Viewer.

With the ProcessTampering feature enabled, when process hollowing or process herpaderping is detected, Sysmon will generate an ‘Event 25 – Process Tampering’ entry in Event Viewer. For example, when testing this feature using this process hollowing test, you can see in the event below that svchost.exe was affected.

Event 25 - Process Tampering
Event 25 – Process Tampering

BleepingComputer noticed frequent detections for harmless executables related to Chrome, Opera, Firefox, Fiddler, Microsoft Edge, and various Setup programs when testing this feature.

Chrome process tampering false positive
Chrome process tampering false positive

Unfortunately, other tests conducted by BleepingComputer using the latest TrickBot and BazarLoader could not trigger events.

Learn more about Sysmon

For those who want to learn more about Sysmon, it is strongly recommended that you read the documentation on Sysinternals’ site and play around with the various configuration options.

There is no better way to learn how to use this program then by creating configuration files and see what events are written to the event log.

Users can obtain more information about the various directives used in Sysmon by entering the sysmon.exe -s all command.

Also Read: Best Privacy Certification: 3 Simple Steps On How To Achieve

If you want to use a premade Sysmon config file designed to monitor malicious traffic and threats, you can use SwiftOnSecurity’s Sysmon configuration file.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us