Process Tampering Monitoring
uberAgent ESA detects several malicious attack techniques such as Process Herpaderping and Process Hollowing. We name these attack techniques Process Tampering events.
uberAgent ESA Process Tampering Monitoring is enabled or disabled through a configuration option. The related configuration Stanza is
Configure the setting
EnableProcessTampering = false to disable process tampering monitoring.
By default, this option is enabled (requires ESA enabled, too).
Detecting Process Tampering Events
The following example detects any Process Tampering event and forwards it to your backend, once triggered.
# Detects any Process Tampering action
RuleName = Detects any Process Tampering action
EventType = Process.TamperingEvent
Tag = process-tampering
RiskScore = 75
Query = true
This example rule forwards any tampering event. You may filter this with more advanced conditions using Common Event Properties.
Introduction to Process Tampering
While there are a couple of different techniques the outcome is most likely the same. A malicious process is running in the context of a non-malicious process and tries to hide malicious actions in the context of this good process. There are many good resources available that explain these techniques in detail. To get you a short summary please refer to the notes below.
What is Process Hollowing?
A process is launched in a suspended state and executable code is unmapped and replaced with malicious code and resumed.
What is Process Herpaderping?
This technique requires replacing an executable binary with a malicious file and launching it. Then, the original file is restored and the malicious executable pretends to be the original one.