Volume 18, Number 3

Beyond the Surface: Unmasking Advanced Malicious Threats

  Authors

Akashdeep Bhardwaj¹ and Shawon Rahman², ¹Center for Cybersecurity, India, ²University of Hawaii-Hilo, USA

  Abstract

Advanced adversaries use unique initial access strategies establish persistence in corporate systems. This research presents behavior-driven threat hunts focused on phishing via malicious Microsoft Word documents, using living-off-the-land binaries (LOLBINs) and subtle alterations to Remote Desktop Protocol (RDP) services for stealthy lateral movement. Elasticsearch SIEM was used to ingest and analyze 303,148 logs utilizing Kibana and Lucene-based detection queries. The initial investigation revealed 44 connected instances in which Winword.exe initiated cmd.exe, resulting in the download of a dubious payload (MicrosoftUpdate.exe). Persistence was validated via Sysmon Event Code 11 (file creation in the Windows Startup directory), whereas lateral movement and command-and-control operations were indicated by outbound connections on port 9000. The second hunt identified 20 registry-related events that verified the alteration of the RDP port from the default 3389 to 3398 via reg.exe, succeeded by remote interactive logon (Event ID 4624, Logon Type 10). Subsequent network activity indicated a connection via FTP port 21, suggesting possible data exfiltration. To augment scientific rigor, the authors incorporated mathematical validation through Bayesian inference, Threat Confidence Scoring, and entropy-based behavioral diversity analysis. The phishing scenario attained a posterior threat probability of 0.820, whereas RDP port manipulation resulted in 0.778. The calculated TCS attained 20, signifying a severe multi-stage compromise. Entropy analysis revealed 2.181 bits (~84% of maximal entropy), indicating substantial event variety aligned with coordinated adversarial actions. This research's primary contribution is the integration of behavioral SIEM query logic with probabilistic validation and entropybased complexity modeling, enabling SOC teams to prioritize alerts based on quantitative threat confidence rather than relying solely on signature-based detection.

  Keywords

Advanced Persistent Threats (APT), Threat Hunting, Living-off-the-Land Binaries (LOLBINs), Phishing Attacks, Malware Persistence, Remote Desktop Protocol (RDP) Attacks, and Registry Key Modification.