This new version of Sysmon adds a new detective capability to your detection arsenal. It introduces EventID 25, ProcessTampering. This event covers manipulating the initial image/process to be something different than the process it was launched with. However, it is not intended to be a catch-all event for all kinds of tampering events. EventID 25 is specifically tailored towards attacks like process hollowing or the whimsically named process ‘herpaderping’.

The configuration schema has been bumped to 4.50 to provide for the new EventID.

To some extent replacing the initiated image is common behavior, for instance for some system processes. So building a proper baseline will be key here to filter some known noise but not cause blind spots for yourself. …


Olaf Hartong

FalconForce | DFIR | Threat hunter | Data Dweller | Splunk | Sysmon | Microsoft MVP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store