In a previous diary, I talked about stack strings[1] with a practical example of them. Since my SEC670 class, I’m even more interested in malware obfuscation techniques. I had a look at process names. When you list running processes on a computer, can you trust what you see? If you're facing a rootkit, malicious processes can be simply hidden (the API calls or commands to list processed have been tampered). But a malicious process can also mimic a non-suspicious name by masquerading their name. This technique (T1036 in the MITRE ATT&CK framework[2]) has been used by attackers in many campaigns. A good example of the Velvet Ant Chinese group[3]. The goal is to hide the “malware†process name by replacing it with something that won’t attract the Security Analyst’s eyes or defeat security controls.
Read the original article: