Episode 58 — Identify Malicious Code, TTPs, and Host Artifacts
In Episode Fifty-Eight, titled “Identify Malicious Code, T T P s, and Host Artifacts,” we treat host analysis as rapid pattern recognition backed by verifiable artifacts you can pull on demand. The goal is to see behaviors first, then confirm them with traces that stand up to peer review and post-mortems. We will name the common families of malicious code, tie them to the tactics, techniques, and procedures they favor, and show where solid evidence appears on real endpoints. Think of this as training your eye to notice recurring shapes in process trees, file systems, memory, and telemetry, then proving those shapes with hashes, logs, and captures so containment is decisive rather than tentative.
Malicious code tends to fall into workable categories that map cleanly to observable host behaviors. Droppers deliver the next stage and often arrive as scripts or self-extracting archives; loaders live longer and fetch payloads on demand, leaving telltale network handshakes and modular process trees. Ransomware couples rapid file enumeration with write bursts and crypto library imports, then renames or appends markers while stopping services that lock files. Information stealers watch for browser credential stores, cryptocurrency wallets, and clipboard patterns, then compress loot into small archives prepared for exfiltration. When you describe a suspicious process, try to assign it to one of these categories and ask which on-host behaviors should appear next; that framing accelerates both triage and evidence collection.
Credential access techniques leave crisp artifacts if you instrument the right places. Local Security Authority (L S A) dumps involve suspicious handle access to lsass.exe, unexpected minidumps in temp paths, and kernel callbacks that protection drivers will log when enabled. Browser store targeting appears as access to login data databases, cryptographic API calls in unusual processes, and rapid reads of profile directories. Keylogging produces low-level hooks, driver loads, or steady file writes that match pressed-key cadence. Immediate containment triggers are simple and firm: terminate the offending process tree, isolate the host from sensitive network zones, force credential resets for identities present on the machine, and snapshot volatile evidence before memory rotates. These moves cut off reuse while preserving the story you will need to tell.
Collection and staging are the quiet middle chapters before data leaves, and they reward patient filesystem and handle inspection. Look for temporary archives in odd places, unusual compression utilities dropped next to business files, and hidden directories with innocuous names that hold disproportionate volume. Stagers often walk directory trees in alphabetical order, skip already-encrypted formats, and create lists of target paths before compressing to a single working file. Reliable signals include spikes in file open handles, creation of .zip or .7z archives in user temp paths, and anti-forensic attempts to set attributes that hide or system-flag staging folders. When you see these, you are minutes to hours from an exfiltration attempt; treat them as a pre-alarm rather than a curiosity.
Exfiltration channels tend to be simple and popular, but their timing and entropy make them stand out against baseline. Hypertext Transfer Protocol Secure (H T T P S) beacons that carry data do so in steady intervals with payload sizes that differ from casual browsing; Domain Name System (D N S) tunneling encodes data in labels, yielding long, high-entropy queries to a small set of newly observed domains; cloud drive abuse uploads blocks in rapid succession to consumer endpoints that your policy may not bless. You do not need decryption to notice these shapes; you need destination reputation, size and timing analysis, and clear allowlists for sanctioned services. When outbound precision is high, deviations are loud, and you can interdict without taking down legitimate work.
Host artifacts are your proof kit, and collecting them systematically reduces guesswork. Process trees tell lineage and intent; hashes anchor files to intelligence; loaded module lists expose injection and hollowing; network connections correlate with flow data; prefetch entries on Windows reveal execution history and frequency; and event logs record who did what and when. When possible, enrich these with command lines, current working directories, token information, and parent image signatures. A small set of artifacts, gathered consistently in the same order, lets different responders reach the same conclusion without arguing hunches. The pattern is simple: tell a short story, then point to the artifacts that make it undeniable.
Endpoint detection and response, or E D R, telemetry, Y A R A rules, and known-good baselines are your confidence multipliers when humans are tired and time is short. E D R gives you process lineage, command-line capture, file and registry touches, and user context in one place; Y A R A describes byte and string patterns for families you care about and can be applied to memory or disk; known-good baselines let you say that a module list, service set, or autorun profile deviates from a stable norm. Use these together: baseline to highlight drift, E D R to narrate the drift as actions, and Y A R A to label the family when signatures exist. This stack lifts detection from “looks weird” to “matches behavior X with these corroborating signals,” which is what containment decisions deserve.
Adversaries try to spoil your trail, but most anti-forensic behaviors are themselves detectable. Timestamp stomping creates clusters of identical creation or modification times that do not match user activity; log clearing leaves gap patterns and event-ID sequences that jump; Alternate Data Streams (A D S) on N T F S hide payloads behind innocent names yet still reveal themselves in stream-aware listings. Mitigation approaches include forwarding logs off-host in near real time, protecting critical logs from tampering, monitoring for suspicious use of time-setting utilities, and scanning for non-resident streams on directories where they do not belong. Even when evidence is thinned, residue remains if you know which corners to sweep first.
A short scenario shows the analysis rhythm from suspicion to action. An analyst notices a new parentless powershell.exe spawning 7z.exe with a long command line reading user profiles and building an archive in a temp folder. Process lineage from E D R shows the parent was spawned by a signed tool, rundll32.exe, with an unusual working directory under a user-writable path, and network telemetry shows periodic H T T P S posts to an unapproved domain. The responder kills the process tree, isolates the host from sensitive subnets, preserves volatile data, and collects hashes and prefetch entries for the involved binaries. A Y A R A scan tags the loader family, registry checks reveal a new scheduled task, and a quick credential review flags an administrator token present during execution. Credentials are reset, the scheduled task is removed, the archive is quarantined, and the egress rule is tightened to block the destination while similar patterns are hunted fleetwide.
We will close with two concrete, durable moves that turn today’s material into muscle memory. First, build a host artifact checklist that names exactly what to collect on Windows, Linux, and macOS—process tree, hashes, modules, sockets, autoruns, prefetch where applicable, key event logs, and a minimal memory capture when allowed—along with the commands or tools your team will use and the order of operations. Second, stand up a lab replay using safe samples, simulators, or red-team scripts that exercise the behaviors you care about—persistence via scheduled tasks, process hollowing cues, small H T T P S beacons, and D N S-label staging—so analysts can practice pulling artifacts and confirming conclusions. When those two assets exist and are used routinely, host analysis stops being a scavenger hunt and becomes a reliable, teachable craft.
