typos and clarification

Author: darkoperator

process-tampering.md

@@ -1,19 +1,19 @@
 Process Tampering
 -----------------
 
-Sysmon will log **EventID 25** when a process original image is replaced in memory or on disk. This covers the technique of [Process Hollowing](https://attack.mitre.org/techniques/T1055/012/), this is when a process is launched, then suspended and the memory for the image is unmapped and realigned to another image injected in to memory and then resumed to execute the injected image. [Process Herpaderping](https://jxy-s.github.io/herpaderping/) is another technique that is caught by this event type, this technique works by modifying the content on disk after the image has been mapped. This capability was added in version 13.0 of Sysmon with schema 4.50.
+Sysmon will log **EventID 25** when a process original image is replaced in memory or on disk. This covers the technique of [Process Hollowing] (https://attack.mitre.org/techniques/T1055/012/), this is when a process is launched, then suspended and the memory for the image is unmapped and realigned to another image injected in to memory and then resumed to execute the injected image. [Process Herpaderping](https://jxy-s.github.io/herpaderping/) is another technique that is caught by this event type, this technique works by modifying the content on disk after the image has been mapped. This capability was added in version 13.0 of Sysmon with schema 4.50.
 
 The fields for the event are:
 
 * **ProcessGuid** -- Unique process GUID generated by Sysmon.
 
-* **ProcessId** -- Process ID represented as a integer number.
+* **ProcessId** -- Process ID represented as an integer number.
 
 * **Image** -- Full path of the executable image that was tampered with.
 
 * **Type** -- Type of process tampering (Image is locked for access, Image is replaced)
 
-There are several programs like browsers and code development programs that trigger this event type. Since a attacker can select any process as their target it is reocmended to capture all events and create a exclusion list of known programs. There is a risk that attacker will select this programs for their actions but it limits greatly their capability by norrowly directing them to programs that can then be monitor for other behaviours to detect abuse on the.
+There are several programs like browsers and code development programs that trigger this event type. Since an attacker can select any process as their target it is recommended to capture all events and create an exclusion list of known programs. There is a risk that attacker will select this program for their actions but it limits greatly their capability by narrowly directing them to programs that can then be monitor for other behaviors to detect abuse on the.
 
 Example:
 
@@ -48,5 +48,4 @@ RuleGroup name=“” groupRelation=“or”>
 </RuleGroup>
 ```
 
-Seems like Electron based apps like Slack, Mattermost and others also create false positives.
-
+Seems like Electron based apps like Slack, Mattermost and others also create false positives. Another thing to be awarded of that not all process hollowing techniques are detected. Some variations based on the original technique by changing some API calls and amount of the image altered are not detected. This is a perfect example as to why it is important to have additional detection controls for other action and have a layered approach to detection.

the-sysmon-driver.md

@@ -21,6 +21,6 @@ Sysmon sets multiple callbacks on kernel objects in addition to using telemetry
 
 When the tool is downloaded from the Microsoft Sysinternals website <https://docs.microsoft.com/en-us/sysinternals/> it is important to save and identify previous versions since Microsoft does not provide older versions and the release notes do not detail what has been fixed. Microsoft has a fast release cycle, forcing users to test very carefully and to keep track of versions.
 
-You can take a look at recent changes across versions in the community guide [Sysmon Changelog](https://link)
+You can take a look at recent changes across versions in the community guide [Sysmon Changelog](https://github.com/trustedsec/SysmonCommunityGuide/blob/master/sysmon-changelog.md)
 
 Another important piece of information is that there is no support from Microsoft on the Sysinternal tools—they are free and provided as is. This means that a testing plan for the environment it is deployed on should be formulated, tested, implemented, and improved upon as new versions of Sysmon are released.