Post AbPESGOGfdhz71XQNU by benmontour@infosec.exchange
 (DIR) More posts by benmontour@infosec.exchange
 (DIR) Post #AbPE8YAsq8uYTdsTrM by mttaggart@infosec.town
       2023-11-02T19:36:42.184Z
       
       0 likes, 0 repeats
       
       Does anyone know if there's a good writeup about the internals of Sysmon Event 25? I'd like to know more about how to determines "process tampering."
       
 (DIR) Post #AbPESGOGfdhz71XQNU by benmontour@infosec.exchange
       2023-11-02T19:39:36Z
       
       1 likes, 0 repeats
       
       @mttaggart I'd love to see that too. All I've seen is that it was initially designed to help catch something like Process Herpaderping (https://jxy-s.github.io/herpaderping/). As to the details of how it's doing that, a good question indeed.
       
 (DIR) Post #AbPEU2nECF2BWI3uYS by mttaggart@infosec.town
       2023-11-02T19:40:35.417Z
       
       0 likes, 0 repeats
       
       @benmontour@infosec.exchange Yeah like, it can't be every WriteProcessMemory, so what's up?
       
 (DIR) Post #AbPEfRNT8FW4x8Rp3o by mttaggart@infosec.town
       2023-11-02T19:42:39.096Z
       
       0 likes, 0 repeats
       
       @benmontour@infosec.exchange Got it! https://rootdse.org/posts/understanding-sysmon-events/
       
 (DIR) Post #AbPElTAHOrBsEX9ZQW by mttaggart@infosec.town
       2023-11-02T19:43:44.384Z
       
       0 likes, 0 repeats
       
       @benmontour@infosec.exchange So maybe the 1-2 punch of NtUnmapViewOfSection and NtWriteVirtualMemory?
       
 (DIR) Post #AbPFb7UXE3xu4bFxY0 by benmontour@infosec.exchange
       2023-11-02T19:49:06Z
       
       1 likes, 0 repeats
       
       @mttaggart That would make sense given the listed step there. I don't know what else you'd be able to trigger on that wouldn't flood with false positives constantly.