Skip to main content

Process Tampering Monitoring

uberAgent ESA detects several malicious attack techniques such as Process Herpaderping and Process Hollowing. We name these attack techniques Process Tampering events.

Configuration

uberAgent ESA Process Tampering Monitoring is enabled or disabled through a configuration option. The related configuration Stanza is [ProcessStartupSettings].

Configure the setting EnableProcessTampering = false to disable process tampering monitoring.

By default, this option is enabled (requires ESA enabled, too).

Detecting Process Tampering Events

Any process tampering action is queryable with uAQL and its Activity Monitoring Engine rules.

Example Rule

The following example detects any Process Tampering event and forwards it to your backend, once triggered.


[ActivityMonitoringRule]
# Detects any Process Tampering action
RuleName = Detects any Process Tampering action
EventType = Process.TamperingEvent
Tag = process-tampering
RiskScore = 75
Query = true

This example rule forwards any tampering event. You may filter this with more advanced conditions using Common Event Properties.

Introduction to Process Tampering

While there are a couple of different techniques the outcome is most likely the same. A malicious process is running in the context of a non-malicious process and tries to hide malicious actions in the context of this good process. There are many good resources available that explain these techniques in detail. To get you a short summary please refer to the notes below.

What is Process Hollowing?

A process is launched in a suspended state and executable code is unmapped and replaced with malicious code and resumed.

What is Process Herpaderping?

This technique requires replacing an executable binary with a malicious file and launching it. Then, the original file is restored and the malicious executable pretends to be the original one.

Comments

Your email address will not be published. Required fields are marked *