Microsoft has released Sysmon 13 with a new security feature that detects if a process has been tampered using process hollowing or process herpaderping techniques. This tactic allows the malware to execute, but in Task Manager, it appears as a standard Windows process running in the background. To enable the process tampering detection feature, administrators need to add the ‘ProcessTampering’ configuration option to a configuration file to the Sysinternals tool. When a process tampering is detected, SysMon will generate an ‘Event 25 – Process Tampering’ entry in Event Viewer.
Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/