惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

SecWiki News
SecWiki News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Visual Studio Blog
博客园 - 叶小钗
S
SegmentFault 最新的问题
IT之家
IT之家
大猫的无限游戏
大猫的无限游戏
博客园_首页
Apple Machine Learning Research
Apple Machine Learning Research
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
月光博客
月光博客
酷 壳 – CoolShell
酷 壳 – CoolShell
腾讯CDC
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
L
Lohrmann on Cybersecurity
量子位
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Tor Project blog
J
Java Code Geeks
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 三生石上(FineUI控件)
Attack and Defense Labs
Attack and Defense Labs
AI
AI
The Cloudflare Blog
T
Tailwind CSS Blog
S
Schneier on Security
爱范儿
爱范儿
PCI Perspectives
PCI Perspectives
Stack Overflow Blog
Stack Overflow Blog
S
Secure Thoughts
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
V2EX - 技术
V2EX - 技术
S
Securelist
P
Proofpoint News Feed
T
Threat Research - Cisco Blogs
Help Net Security
Help Net Security
C
Cisco Blogs
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
K
Kaspersky official blog
T
The Blog of Author Tim Ferriss
G
Google Developers Blog
S
Security Affairs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Simon Willison's Weblog
Simon Willison's Weblog

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
You Can Only Hunt What You Can See: Best Endpoint Log Sources for Threat Hunting
Intel 471 · 2020-09-30 · via Intel 471 Blog

In a previous blog we discussed how crucial network log data is for threat hunters. The data provided by network logs offers valuable information about how an actor is communicating in and out of an environment. However, this is only one side of the threat hunting data coin. We also need a full slate of log data on the endpoint in order to understand what the attackers are doing once they establish a beachhead on a system.

Many organizations choose to limit their overall collection of endpoint logs, restricting collection solely to critical systems and servers, often due to the sheer volume of data that a whole portfolio of endpoints can put out every day. While there are a number of methods to manage this, organizations often leverage endpoint detection and response (EDR) platforms, which typically stream data to the cloud storage. Other organizations may face data residency issues, and in which case other on-premise (on-prem) solutions may be a better fit. Regardless, at the end of the day, the lesson is that the following data sources can be extremely useful for effective threat hunting.

Windows Event Logging

Windows event logging (WEL), a default administrative tool in Windows, is going to be one of the most data rich sources for threat hunters to piece together endpoint activity. WEL logs come in three flavors: system, security, and application, and logs will record errors, warnings, information and audit success within a Windows system.

This data gives threat hunters the visibility to see what’s going on both within a single endpoint, an environment, or a federation of environments.

Linux Audit Logging

Linux audit logging is similar to Windows event logging, just for another operating system. However, Linux logging tends to provide more granular data about even more components of the operating system, giving hunters greater visibility. Again, its purpose is to offer up details about changes to the systems, network connection attempts, and any activity on the system that warrants a logged event.

PowerShell Logging

PowerShell, introduced in 2006, is an exceptionally powerful command line environment. While much of the enhanced logging has only been available since version 5, Microsoft has also backported some of those powerful logging functions to version 4 (though it is still highly recommended that organizations update to version 5). Enhanced PowerShell logging not only logs executed commands, but paths and deobfuscated code as well. As PowerShell is extremely flexible and powerful compared to the traditional Windows Command Prompt, this is typically the go-to for attackers. Many phishing attempts begin with a simple Word document embedded with a malicious macro designed to invoke PowerShell to begin downloading and executing malicious code. Additionally, attackers can use it to gather system and network information, download additional toolsets, and move laterally within an environment. An attacker is very likely to utilize that shell environment once they get onto an endpoint making this prime hunting ground for security teams.

In addition to that, from a threat hunting perspective, PowerShell can offer excellent visibility for seeking out anomalous activity within an environment. Through techniques such as stack counting and “the principle of least frequency of occurrence (LFO),” threat hunters can look through all of the different PowerShell commands executed across an environment in order to identify suspicious activity.

Process Monitoring

Process monitoring and logging, using tools such as the free and excellent Procmon, offers hunters visibility into all processes that are spawned, where they were spawned from, as well as their child and/or parent processes.

Ultimately, threat hunters will be looking for unusual process names or common process names from uncommon paths. Lots of malware, for instance, will randomize process names so a threat hunter can look for very suspicious, or randomized process names. At scale, hunters may also look for uncommonly high, or low, entropy of names (e.g. how predictable is the next letter in the process name compared to a baseline set of data?). Similarly, threat hunters can seek out suspicious parent-child process relationships. For example, should Word.exe really be spawning PowerShell? Should that PowerShell process really spawn something called ‘svch0st.exe’?

Registry Data

Threat hunters gain a huge amount of information out of the Windows registry. Many attackers may touch the registry as part of reconnaissance to get an idea of what’s installed on the system. Additionally, attackers frequently use the registry to establish persistence for their tools and malware to ensure it persists across reboots, or hinders attempts to remove it. For example, one of the most common (and oldest!) methods malware uses to establish persistence is through so-called registry run keys, inserting an entry into that key to have it point to the tool or malware that’s on the system. This way every time the system reboots, the malware comes back online.

These endpoint data sources can offer up extremely rich information for threat hunters seeking out activity within a single endpoint or across the entire environment. While solid network logs are a staple for threat hunting, it’s important to remember that visibility at the endpoint can provide a more enriched data set, and therefore more valuable hunts.

Haven’t read part one of this series? Be sure to catch up on You Can Only Hunt What You Can See: Best Network Log Sources for Threat Hunting.