Cyences App for Splunk 1.1.0 with Sysmon 13.0

We’ve recently added Sysmon 13 support to our Cyences App in order to detect some of the latest malware/ransomware techniques [Mailto/defray777 ransomware, TrickBot, and BazarBackdoor].

Sysmon 13 lets us monitor the activity of Windows 10 processes and can now detect process hollowing or process herpaderping techniques which would normally not be visible in Task Manager.

Process hollowing is when malware launches a legitimate process in a suspended state and replaces legitimate code in the process with malicious code. This malicious code is then executed by the process with whatever permissions are assigned to the process.

Process herpaderping is where malware modifies its image on the disk to look like legitimate software after the malware is loaded. When security software scans the on-disk file, it will see a harmless file while the malicious code runs in memory.

Below is one of the sample events from Windows Win-Event-Viewer: 

This new alert will detect malicious activities and communicate their presence through Splunk, providing helpful dashboards to create a forensic report of the incident.


Download App from Splunkbase

Read the App’s Documentation
(App Installation/Configuration and Sysmon data collection guide)

Download Sysmon 13


Written by Usama Houlila.

Any questions, comments, or feedback are appreciated! Leave a comment or send me an email to [email protected] for any questions you might have.

Sign Up Now!

For exclusive news, information, and Events!

By submitting this form, you are consenting to receive marketing emails from: CrossRealms International. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact