Host-based threats

The endpoint is a valuable source of intelligence for threat hunters

Malware installs and executes on the endpoint but can be lost in the noise of the many benign programs running as well

Some of the important places to look for data while threat hunting include:

  • Processes

  • File systems

  • Windows registry

Windows processes

Examining the current and historical processes running on a system can give a threat hunter a feel for the helth of the system

Malware may try to disguise itself as a normal process or openly run as something anomalous

  • Knowledge of common processes and how they behave is essential

Tools like Task Manager, Process Monitor and Process Hacker can b invaluable for identifying threats on Windows systems

Linux processes

Linux also uses the concept of processes for currently-running programs

Command line tools like ps and pstree given visibility into the current state of the machines

  • These commands can also be included in scripts and run as cronjobs to provide automated monitoring and alerting

File systems

Malware authors and hackers also use and abuse the filesystem to achieve their goals

Taking advantage of how to filesystem operates can enable some attacks like DLL hijacking

Placing and running malicious executables out of unexpected directories can also help conceal malware from detection

  • Who would look for malware in the Recycle Bin?

Windows registry

The Windows Registry stores a variety of configuration data used by the operating system

This includes the list of processes to run upon startup and other useful tidbits

Malware authors take advantage of the registry to enable persistence and develop fileless malware

  • This makes detection and removal of malware more difficult

Hunting tools

When threat hunting on the endpoint, a variety of different tools exist

Both platforms have options for searching for each type of threat

The tool to use depends on both the environment that you're searching in (registry, file system, processes, etc) and the threat that you are searching for

Many tools allow automation, making it easier to perform threat hunting at scale

PreviousHunting for irregular trafficNextMalware

Last updated