Purpose
Finds malware attempting to hide execution by running with names which are confusingly similar to legitimate system processes.
Data Required
Endpoint process creation data
Collection Considerations
None
Analysis Techniques
Scripting
Description
A popular technique for hiding malware running on Windows systems is to give it a name that's confusingly similar to a legitimate Windows process, preferably one that is always present on all systems. Using a string similarity algorithm (Damerau-Levenshtein distance), we can compare the names of running processes to a set of defined Windows system processes to look for this sort of impersonation.
Other Notes
None
More Info