The disclosed computer-implemented method for categorizing processes as malicious may include (1) storing, in a security application that tracks event data for the computing device, data about an event triggered by an uncategorized process, (2) storing, in the security application, new data about an additional event triggered by an additional process that has not previously been determined to be connected to the uncategorized process, (3) comparing the new data about the additional event with the data about the event to determine whether the additional data shares a common variable with the data, (4) identifying, based on determining that the additional data shares the common variable with the data, a malicious chain of events that comprises the event and the additional event, and (5) categorizing the uncategorized process as malicious in response to identifying the malicious chain of events. Various other methods, systems, and computer-readable media are also disclosed.