Detection Strategies for COM, WMI, and ALPC-Based Multi-Process Malware

Detection Strategies for COM, WMI, and ALPC-Based Multi-Process Malware

Behavioral malware detection is based on attributing malicious actions to processes. Malicious processes may try to hide by changing the behavior of other benign processes to achieve their goals. We showcase how Component Object Model (COM) and Windows Management Instrumentation (WMI) can be used to...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Sensors (Basel, Switzerland) Switzerland), 2024-08, Vol.24 (16), p.5118
Hauptverfasser: Portase, Radu Marian, Muntea, Andrei Marius, Mermeze, Andrei, Colesa, Adrian, Sebestyen, Gheorghe
Format: Artikel
Sprache:eng
Schlagworte:
Anti-virus software
Behavior
behavior detection
COM
Dynamic link libraries
Malware
Operating systems
sensor evasion
Sensors
WMI
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Behavioral malware detection is based on attributing malicious actions to processes. Malicious processes may try to hide by changing the behavior of other benign processes to achieve their goals. We showcase how Component Object Model (COM) and Windows Management Instrumentation (WMI) can be used to create such spoofing attacks. We discuss the internals of COM and WMI and Asynchronous Local Procedure Call (ALPC). We present multiple functional monitoring techniques to identify the spoofing and discuss the strong and weak points of each technique. We create a robust process monitoring system that can correctly identify the source of malicious actions spoofed via COM, WMI and ALPC with a low performance impact. Finally, we discuss how malicious actors use COM, WMI and ALPC by examining real-world malware detected by our monitoring system.
ISSN:1424-8220
1424-8220
DOI:10.3390/s24165118