Online Courses
Cyber Threat Hunting
Online Courses
Cyber Threat Hunting
  • Cyber Threat Hunting
  • Introduction
    • What is cyber threat hunting?
    • Implementation considerations
    • Threat hunting models
    • Benefits of threat hunting
  • Threat Hunting Artifacts and Types
    • Artifacts and types
    • IOCs and IOAs
    • Indicators of compromise
    • Tactics, techniques and procedures (TTPs)
  • Threat hunting techniques and generative AI
    • Aggregation of data sources
    • Anomalies and baselining
      • Baselining
      • Searching
      • Grouping and clustering with AI
  • Threat hunting methodologies
    • Introduction
    • Structured hunting (MITRE)
    • Unstructured hunting
    • Entity driven hunting
  • Threat hunting data and technologies
    • Data and technologies
    • Network data
    • Endpoint data
    • Security information and event management (SIEM)
    • Threat intelligence platforms
    • Ticketing/SOAR
  • Cyber threat hunting process
    • Introduction
    • Scoping and hypothesis development
    • Formulate
    • Execution
    • Cyber threat hunting: Lessons learned
  • Cyber threat hunting scenarios
    • Structured hunt scenario
    • Unstructured hunt scenario
    • Entity-driven hunt scenario
    • Situation-driven hunt scenario
  • Hunting for network-based threats
    • Network Threats
    • DNS abnormalities
    • Hunting for DDoS activity
    • Hunting for suspicious domains
    • Hunting for irregular traffic
  • Hunting for host-based threats
    • Host-based threats
    • Malware
    • Hunting for irregular processes
    • Process hierarchy
    • Detecting lateral movement
    • Hunting for malicious files
    • Database swells
  • Quiz
Powered by GitBook
On this page
  • Process hijacking
  • Checking process info
  • Windows
  • Linux/Unix
  1. Hunting for host-based threats

Process hierarchy

Both Windows and Unix/Linux systems have a hierarchy of processes

  • Every process but the root process is the child of some other process

Looking for irregularities in this hierrchy can help detect impersonators

  • Any svchost.exe that isn't a direct child of services.exe is malicious

Knowledge of the hierarchy for common processes on Windows and Linux is a valuable tool for a threat hunter

Process hijacking

Some malware will take over an existing process and execute with its memory space and permissions

This can be accomplished in a variety of ways:

  • Function hooks

  • Inline modifications/patching

  • DLL injection

These malicious processes will have different copies running in memory than are saved on disk

  • They may also have unusual dependencies/imports

Checking process info

Windows

Microsoft provides a couple of tools for monitoring processes in Windows:

  • Task Manager

  • Process Monitor

Process Hacker is another great choice for Windows process analysis

Linux/Unix

On Linux and Unix, the built-in ps command provides information on currently-running processes

  • Multiple different flags provide a variety of information

  • Can be executed by or have output piped to scripts for analysis

To view the hierarchy of processes on Linux, use pstree

PreviousHunting for irregular processesNextDetecting lateral movement

Last updated 9 months ago