The correct answers areB. Processes in nonstandard file pathsandC. Common processes with modified names. These two detection rules are highly effective for identifyingmalicious processes spawned by phishing-delivered malware.
Phishing payloads commonly drop executables intononstandard directoriessuch as AppData, Temp, Downloads, or user profile subfolders. Legitimate Windows binaries rarely execute from these locations. Monitoring for process execution from such paths is a proven technique for detecting malware loaders, credential stealers, and post-exploitation tooling.
Additionally, attackers frequentlymasquerade malware as legitimate processesby using slightly modified names, such as lsasss.exe, svch0st.exe, or expl0rer.exe. These tactics are designed to evade casual inspection and basic allowlisting. Detecting common Windows process names with anomalies—such as incorrect spelling, unexpected parent processes, or abnormal execution paths—is a high-fidelity behavioral signal.
Option A is too broad; nearly all processes are created by users directly or indirectly, making it noisy. Option D (process ownership changes) and Option E (startup time changes) are less relevant to detecting credential-harvesting processes at execution time and may miss the initial malicious activity.
From a threat hunting and detection engineering perspective, optionsB and Calign withMITRE ATT&CK – Defense Evasion and Credential Accesstechniques. These rules focus onbehavioral detection, not static indicators, making them resilient against attacker variation.
In short, detectingwhere a process runs fromandwhat it pretends to beprovides strong coverage against phishing-delivered malware, makingB and Cthe correct and professionally validated choices.
