Traces

Traces are the most important part of our program. We try to recreate them safely so we can test the rules that detect them.

Definition

A trace is the smallest set of actions or events that malware can cause and that can be seen on a system. It has a common purpose, performs one or more actions that are mainly specific to malware, is detectable by at least one detection language, and can be isolated and replicated to create a generic example.

Remember that the definition can be changed at any time to better fit our goals.

Characteristics

To understand what they are, let's look at some examples.

Let's start with what a trace is:

• Spoofing a parent process identifier
• Loading a vulnerable driver

Now, let's look at what it isn't:

• Opening a file, creating a process, and so on. They are not limited to malware and are mostly used for good things.
• Making a thread for encrypting/decrypting data or sending data. As mentioned earlier, they aren't necessarily bad.
• Action that depends on a file only present whithin the malware. Mostly because this is not isolatable.