HomeWinBuzzer NewsMicrosoft Sysmon 13 Brings Ability to Detect Process Herpaderping

Microsoft Sysmon 13 Brings Ability to Detect Process Herpaderping

As well as now detecting Process Herpaderping, Microsoft Sysmon in Sysinternals can also detect Process Hollowing.


Sysmon users are getting a new update this week as part as a wider release for the Sysinternals suite. Specifically, the utility is gaining the ability to detect Process Hollowing attacks and Process Herpaderping.

If you're unfamiliar with Sysinternals, it is a suite of applications for admins that allows them to debug Windows machines. Furthermore, users can tap into the tool to find and investigate malware attacks.

Microsoft Sysmon (System Monitor) is one of the tools with Sysinternals, joining over 160 other applications. It is perhaps the most popular app in the suite that logs system level events on a Windows computer.

These events are logged within the regular Windows event log. For example, it can log network connections, changes to files, and new processes. Many security teams use Sysmon as part of their threat mitigation arsenal, so adding two new abilities is a major update.

Specifically, Sysmon can now detect two process attacks (Hollowing and Herpaderping) that are designed to avoid detection.

Now Available

The new tools are part of Microsoft Sysmon 13.00. When a Hollowing or Herpaderping attack is found, the tool will now log this malware attack. Both process attacks are filed under “EventID 25” in the system log.

Process Herpaderping is a new technique that focuses on preventing detection. It can obscure and hide the true intentions of a process by changing the content on a disk. This happens when the image has been mapped.

In a recent tweet, Microsoft's Mark Russinovich previewed both Sysmon logs with the EventID 25 log warning. That tweet arrived last November as a teaser, but Microsoft is now rolling out the ability to Sysmon 13.00 within Sysinternals.

Tip of the day:

Do you know the built-in repair tools SFC and DISM of Windows 10? With many problems they can get you back on track without loosing data and using third-party programs. In out tutorial we show you how to use them.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News