Threat Hunting for Suspicious Registry and System File Changes

Information security professionals are normally tasked with hunting threats that have been detected on their respective networks. What happens when you think that your network is under attack, but you’re not quite sure where the malware is or what they will do next? This article will detail how to threat hunt on your network by analyzing suspicious registry and system file changes.

Indicators of Compromise

Indicators of Compromise, or IoCs, are pieces of forensic data that are normally found in system files and log entries, and which identify potential threat activity on a network or system. In other words, information security professionals can use IoCs as a trail of evidence, like a trail of breadcrumbs, to determine where the attacks are occurring and the attack patterns they are faced with.

Suspicious Registry and System File Changes are Indicators of Compromise

Suspicious registry and system file changes are used as part of the standard 10 to 15 IoCs that  information security professionals use when threat hunting. One of the reasons they qualify as IoCs is that cybercriminals need to establish persistence within an infected host on a network via registry changes and system file changes.

What is Persistence?

If the malware on a host is not active, it needs to be triggered to run at a future point in time. This mechanism is called a persistence mechanism. Commonly used examples of persistence mechanisms include AutoStart locations in the registry, scheduled tasks/cronjobs and boot process redirection. Malware sometimes needs to be triggered with a persistence mechanism before it can start leaving a trail of evidence for information security professionals to begin investigating.

Threat-Hunting Suspicious Registry Changes

The best place to start in threat hunting, in this case, is by searching in the registry itself. How do we begin to threat hunt when (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/EEJutHzeRok/