Create signature for spawning/injecting many processes #174
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a simple signature to detect malware with large process trees. One indicator for malware is lots of processes, this includes injection, creation or even running command windows etc as well as malware trying to be evasive (or rather annoying when viewing) by spawning large process trees from copies of itself. Anyway as mentioned simple and just take action based on the number of processes minus 1 for the parent process. Tested on various samples. I pondered whether or not to display the processes as appended information but decided against it as wasted processing time as user can click on behavior tab and see them anyway one this has been highlighted to them. Also on a side note any feedback regarding the ransomware message submission now the suggested improvements have been made and tested as not had feedback since?
|
This seems like it would be very prone to false positives. I'd like to see better checks, like for deep process trees (for the cases where the malware continuously replicates as a child process of itself), or for a large number of actual injections. -Brad |
|
Ok thanks. I will look at implementing various checks. The child process one might be OK but the injection one may be more difficult without replicating injection sigs unless there is some ideas? I will have a look to start things off though by implementing first suggested check of deep process trees and then other oddities can be added after. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a simple signature to detect malware with large process trees. One indicator for malware is lots of processes, this includes injection, creation or even running command windows etc as well as malware trying to be evasive (or rather annoying when viewing) by spawning large process trees from copies of itself.
Anyway as mentioned simple and just take action based on the number of processes minus 1 for the parent process. Tested on various samples. I pondered whether or not to display the processes as appended information but decided against it as wasted processing time as user can click on behavior tab and see them anyway one this has been highlighted to them.
Also on a side note any feedback regarding the ransomware message submission now the suggested improvements have been made and tested as not had feedback since?