Feature title | Description of feature |
---|---|
callbacks.ncallbacks | This quantifies the number of registered callback functions within the system, where an unusually high count might be indicative of obfuscated malware attempting to intercept or monitor system activities |
pslist.avg_handlers | This represents the average number of handlers per process, providing insight into system behavior; obfuscated malware may manipulate this to disguise its presence or control other processes |
psxview.not_in_eprocess_pool_false_avg | This captures the average number of processes not listed in the EPROCESS pool, which might be elevated in the case of obfuscated malware as it attempts to hide from conventional process listings |
ldrmodules.not_in_load | This quantifies modules that are not in a loaded state, a possible red flag for obfuscated malware that could be unloading modules to evade detection |
psxview.not_in_csrss_handles_false_avg | This represents the average count of processes not found in the CSRSS handles, potentially indicating obfuscated malware as it may attempt to evade being linked to critical system processes |
handles.nevent | This tracks the number of event handles, which could be manipulated by obfuscated malware for synchronization purposes or to maintain persistence |
handles.nmutant | The number of mutant handles is captured here, which obfuscated malware might use to signal between different instances of itself or to lock resources |
psxview.not_in_eprocess_pool | This provides a count of processes not present in the EPROCESS pool, an attribute that could be exploited by obfuscated malware to remain undetected |
dlllist.avg_dlls_per_proc | This feature reflects the average number of DLLs loaded per process, with obfuscated malware possibly loading unusual DLLs or manipulating this count to hide its presence |
psxview.not_in_deskthrd_false_avg | This captures the average number of processes not found in the desktop thread, a potential indicator of obfuscated malware as it might detach its processes from the desktop to remain unseen |
handles.nthread | This quantifies the number of thread handles, which obfuscated malware may increase for parallel execution or to manipulate other processes |
callbacks.nanonymous | The count of anonymous callbacks is tracked here, with obfuscated malware potentially registering such callbacks to evade attribution |
modules.nmodules | This represents the total number of loaded modules, a count that might be inflated by obfuscated malware as it loads additional modules for malicious activities |
ldrmodules.not_in_mem_avg | The average number of modules not in memory is captured, potentially indicative of obfuscated malware that unloads modules to evade memory-based detection |
handles.nsemaphore | This quantifies the number of semaphore handles, which obfuscated malware might manipulate for coordination or to control access to resources |
svcscan.fs_drivers | This reflects the count of file system drivers, a feature that obfuscated malware might target to install malicious drivers or intercept file operations |
svcscan.shared_process_services | The number of services running in shared processes is captured here, with obfuscated malware possibly injecting itself into such services for stealth |
ldrmodules.not_in_init_avg | This feature represents the average number of modules not initialized, a potential sign of obfuscated malware as it may attempt to disrupt normal module initialization |
svcscan.process_services | The count of services running in separate processes is tracked, a feature obfuscated malware might exploit to run its malicious services independently |
handles.nsection | This quantifies the number of section handles, which could be manipulated by obfuscated malware for memory mapping or to hide its code in specific sections |
pslist.nprocs64bit | The number of 64-bit processes running on the system is represented, a count that obfuscated malware may influence as it selects processes to inject into or impersonate |
pslist.nppid | This tracks the number of processes based on parent process IDs, which obfuscated malware might manipulate to break the parent–child process relationship and hide its origin |
handles.avg_handles_per_proc | This represents the average number of handles per process, a figure that might be inflated by obfuscated malware as it opens numerous handles for malicious activities |
dlllist.ndlls | The total number of loaded DLLs is quantified here, with obfuscated malware potentially loading additional DLLs to execute its payload or perform evasion |
svcscan.nactive | This feature captures the number of active services, which obfuscated malware might increase by registering its own services or hijacking existing ones |
handles.nport | The count of port handles is tracked, a feature that obfuscated malware might exploit to establish network communications or intercept network-related activities |
malfind.uniqueInjections | This represents the number of unique memory injections detected, a crucial indicator of obfuscated malware as it frequently employs memory injection for stealth and persistence |
psxview.not_in_pslist | The count of processes not present in the process list is provided, a potential sign of obfuscated malware attempting to hide its processes from standard listings |
psxview.not_in_pspcid_list | This quantifies processes not found in the PSPCID list, which could be indicative of obfuscated malware employing advanced techniques to remain undetected |
psxview.not_in_pspcid_list_false_avg | The average count of processes not in the PSPCID list is captured, potentially highlighting obfuscated malware’s efforts to evade detection at the kernel level |
pslist.nproc | This represents the total number of processes running, a figure that obfuscated malware might influence as it spawns additional processes for its operations |
handles.ndesktop | The number of desktop handles is tracked, with obfuscated malware potentially manipulating this feature to run processes in isolated desktops for evasion |
malfind.commitCharge | This quantifies the commit charge of detected memory injections, a crucial feature to analyze as obfuscated malware often manipulates memory for code execution and stealth |
psxview.not_in_session | The count of processes not present in any session is provided, possibly indicative of obfuscated malware attempting to isolate its processes from user sessions |
handles.ndirectory | This tracks the number of directory handles, which obfuscated malware might manipulate to interact with or monitor filesystem directories |
psxview.not_in_csrss_handles | The number of processes not found in CSRSS handles is quantified, a potential red flag for obfuscated malware as it may sever links to critical system processes |
psxview.not_in_pslist_false_avg | This captures the average count of processes not found in the process list, potentially highlighting obfuscated malware’s attempts to remain hidden from conventional process enumeration |
psxview.not_in_deskthrd | The count of processes not found in the desktop thread is provided, a feature that obfuscated malware might manipulate to detach its processes from user interfaces |
malfind.protection | This quantifies the protection attributes of detected memory injections, a crucial feature to analyze as obfuscated malware might manipulate protection settings to execute malicious code while avoiding detection |
pslist.avg_threads | The average number of threads per process is captured, a feature that might be elevated by obfuscated malware as it creates additional threads for parallel execution or to manipulate other processes |
ldrmodules.not_in_init | This provides a count of modules not in the initialized state, possibly indicative of obfuscated malware attempting to disrupt normal initialization routines |
ldrmodules.not_in_mem | The number of modules not present in memory is quantified, a potential sign of obfuscated malware unloading modules post-execution to evade detection |
psxview.not_in_session_false_avg | This feature captures the average count of processes not found in any session, potentially highlighting obfuscated malware’s efforts to isolate its activities from user sessions |
malfind.ninjections | The total number of memory injections detected is provided, a critical indicator for obfuscated malware detection as such techniques are frequently used for code execution and evasion |
svcscan.interactive_process_services | This quantifies the number of services running in interactive processes, which obfuscated malware might target to run its services with elevated privileges |
psxview.not_in_ethread_pool | The count of processes not present in the ETHREAD pool is tracked, a potential red flag for obfuscated malware employing advanced evasion techniques at the kernel level |
ldrmodules.not_in_load_avg | This represents the average number of modules not in a loaded state, possibly indicative of obfuscated malware’s attempts to manipulate module loading for evasion |
handles.nfile | The number of file handles is quantified, with obfuscated malware potentially manipulating this count to interact with or hide files |
handles.ntimer | This feature tracks the number of timer handles, which obfuscated malware might use for scheduling activities or to maintain persistence |
callbacks.ngeneric | The count of generic callbacks is provided, a feature that obfuscated malware might exploit to monitor or intercept system activities without being tied to specific events |
handles.nkey | This quantifies the number of registry key handles, a count that might be elevated by obfuscated malware as it interacts with the registry for configuration, persistence, or to store payload |
svcscan.kernel_drivers | The number of kernel drivers is captured, with obfuscated malware potentially targeting this area to install malicious drivers or to manipulate driver loading for evasion |
psxview.not_in_ethread_pool_false_avg | This captures the average number of processes not found in the ETHREAD pool, potentially highlighting obfuscated malware’s efforts to remain undetected at the kernel level |
handles.nhandles | The total number of handles opened is quantified here, a feature that might be inflated by obfuscated malware as it opens numerous handles for its malicious activities |
svcscan.nservices | This represents the total number of services running, a figure that obfuscated malware might influence by adding its own services or hijacking existing ones |