Detection Strategies for COM, WMI, and ALPC-Based Multi-Process Malware.
COM
WMI
behavior detection
malware
sensor evasion
Journal
Sensors (Basel, Switzerland)
ISSN: 1424-8220
Titre abrégé: Sensors (Basel)
Pays: Switzerland
ID NLM: 101204366
Informations de publication
Date de publication:
07 Aug 2024
07 Aug 2024
Historique:
received:
30
06
2024
revised:
28
07
2024
accepted:
05
08
2024
medline:
31
8
2024
pubmed:
31
8
2024
entrez:
29
8
2024
Statut:
epublish
Résumé
Behavioral malware detection is based on attributing malicious actions to processes. Malicious processes may try to hide by changing the behavior of other benign processes to achieve their goals. We showcase how Component Object Model (COM) and Windows Management Instrumentation (WMI) can be used to create such spoofing attacks. We discuss the internals of COM and WMI and Asynchronous Local Procedure Call (ALPC). We present multiple functional monitoring techniques to identify the spoofing and discuss the strong and weak points of each technique. We create a robust process monitoring system that can correctly identify the source of malicious actions spoofed via COM, WMI and ALPC with a low performance impact. Finally, we discuss how malicious actors use COM, WMI and ALPC by examining real-world malware detected by our monitoring system.
Identifiants
pubmed: 39204815
pii: s24165118
doi: 10.3390/s24165118
pii:
doi:
Types de publication
Journal Article
Langues
eng
Sous-ensembles de citation
IM