Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
hunting for malware by finding processes impersonating system processes
- Loading branch information
1 parent
1f53158
commit c08e7a4
Showing
1 changed file
with
29 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Finding Malware Process Impersonation via String Distance | ||
|
||
**Purpose** | ||
|
||
Finds malware attempting to hide execution by running with names which are confusingly similar to legitimate system processes. | ||
|
||
**Data Required** | ||
|
||
Endpoint process creation data | ||
|
||
**Collection Considerations** | ||
|
||
None | ||
|
||
**Analysis Techniques** | ||
|
||
Scripting | ||
|
||
**Description** | ||
|
||
A popular technique for hiding malware running on Windows systems is to give it a name that's confusingly similar to a legitimate Windows process, preferably one that is always present on all systems. Using a _string similarity_ algorithm, we can compare the names of running processes to a set of defined Windows system processes to look for this sort of impersonation. | ||
|
||
**Other Notes** | ||
|
||
None | ||
|
||
**More Info** | ||
|
||
- [Hunting for Malware Critical Process Impersonation](http://detect-respond.blogspot.com/2016/11/hunting-for-malware-critical-process.html) |