Permalink
Switch branches/tags
Nothing to show
Find file Copy path
2339ab1 Nov 29, 2016
1 contributor

Users who have contributed to this file

29 lines (15 sloc) 994 Bytes

Finding Malware Process Impersonation via String Distance

Purpose

Finds malware attempting to hide execution by running with names which are confusingly similar to legitimate system processes.

Data Required

Endpoint process creation data

Collection Considerations

None

Analysis Techniques

Scripting

Description

A popular technique for hiding malware running on Windows systems is to give it a name that's confusingly similar to a legitimate Windows process, preferably one that is always present on all systems. Using a string similarity algorithm (Damerau-Levenshtein distance), we can compare the names of running processes to a set of defined Windows system processes to look for this sort of impersonation.

Other Notes

None

More Info