Persistence MalOps
Persistence MalOps are triggered for behaviors that enable an attacker to have continued access to the machine, network, environment, and so forth. The Cybereason platform detects a number of different behaviors resembling persistence.
These MalOps are part of the Verified group.
The Cybereason platform detects a number of different behaviors resembling persistence. Persistence MalOps include:
Malicious fake module: triggered when a process loads a false module (correct module name but different metadata) such as a fake Outlook Web App (OWA).
Masquerading as a Windows accessibility feature: triggered when the process uses an identified and known method for abusing Windows accessibility features and then the process executes as a shell process.
Supported OS for these MalOps: Windows
Next steps
Investigate the Process Element Details, paying special attention for unsigned DLL files that have a signed version
Remediate any malicious DLL files.
Investigate the process hierarchy.
Investigate scheduled tasks and then stop/remove malicious scheduled tasks when found.
Investigate registry run keys related to the process in question and remove malicious run keys.