Forum Discussion
Antonio_Alejandro
Microsoft
Aug 11, 2022New Blog Post | Detect Masqueraded Process Name Anomalies using an ML notebook
Detect Masqueraded Process Name Anomalies using an ML notebook - Microsoft Tech Community
Process Masquerading is an extremely common attack-vector technique. It occurs when the name or the location of a legitimate process is manipulated to avoid detection of its malicious behavior. It can include alteration of metadata, names or paths where these processes run. Windows processes have expected characteristics such as names, parent processes, paths from where they are expected to run, etc. In this blog, we will look into process name masquerading wherein attackers name their payloads similar to known normal processes. Adversaries like to take advantage of the fact that analysts may not always have the proper tools, data, or context to investigate threats thoroughly. A common technique is to slightly modify a legit process and execute a payload that way. A regularly abused process is the Windows Service Host (svchost.exe). When security analysts must dive into large corpuses of security data, these are needles in a haystack and are easy to miss when simply looked at and so they can succeed at running malicious code on your machine.
Looking at the following list of words, it is not easy to spot the odd one out. And these are just 30 processes in total. When security analysts must go over large sets of data where they are not only looking at the names of these processes, but also deriving meaning through context of parent processes which trigger these and the location from where they are run, it is very easy to gloss over and mistake the malicious processes for good ones. This is one of the main reasons why this kind of problem can be solved using statistical based rules and associations.
No RepliesBe the first to reply