detection.wiki

Microsoft-Windows-Sysmon › Event 25

Event ID 25 — ProcessTampering (Process image change)

Provider
Microsoft-Windows-Sysmon
Channel
Operational
Level
Informational
Collection Priority
Recommended (Palantir, others)
Task
Process Tampering (rule: ProcessTampering)
Opcode
Info

Description

This event is generated when process hiding techniques are being detected.

Message #

Process Tampering:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
Type: %6
User: %7

Fields #

NameDescription
RuleName UnicodeString → string
UtcTime UnicodeString → string
ProcessGuid GUID → GUID
ProcessId UInt32 → PID
Image UnicodeString → string
Type UnicodeString → string
User UnicodeString → string

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 25,
    "version": 5,
    "level": 4,
    "task": 25,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T02:03:39.070256+00:00",
    "event_record_id": 1436931,
    "correlation": {},
    "execution": {
      "process_id": 7064,
      "thread_id": 9788
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2023-11-06 02:03:39.059",
    "ProcessGuid": "E56ADA26-497A-6548-2A0B-000000000D00",
    "ProcessId": 18308,
    "Image": "C:\\Program Files\\Avira\\Endpoint Protection SDK\\wsc_agent.exe",
    "Type": "Image is locked for access",
    "User": "NT AUTHORITY\\SYSTEM"
  },
  "message": ""
}

Community Notes #

Process tampering, detects process herpaderping.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

References #