Cited from: https://redteamleaders.coursestack.com/courses/3e9e0212-81dc-49ed-9233-ec9ca894fc6a/take/11---detection-types-signature-heuristic-behavioral-and-machine-learning
Behavioral detection monitors the runtime behavior of processes and correlates it with known malicious patterns.
Runs in real-time or near real-time.
Tracks system calls, API chains, memory manipulation, process creation, file and registry changes.
CreateProcess β Inject Shellcode β CreateRemoteThread
Child processes spawned from MS Office or browsers.
Modifications to autorun registry keys or scheduled tasks.
Detects zero-day malware based on action, not code.
Difficult to evade without mimicking legitimate process behavior.
Sleep/delay tactics (e.g., Sleep(10000)).
Parent process spoofing (PPID spoofing).
Staged payload delivery with minimal in-memory footprint.
API call sequencing with benign lookalikes in between.
Last updated 8 months ago