Finding Malware Process Impersonation via String Distance
Finds malware attempting to hide execution by running with names which are confusingly similar to legitimate system processes.
Endpoint process creation data
A popular technique for hiding malware running on Windows systems is to give it a name that's confusingly similar to a legitimate Windows process, preferably one that is always present on all systems. Using a string similarity algorithm (Damerau-Levenshtein distance), we can compare the names of running processes to a set of defined Windows system processes to look for this sort of impersonation.