{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T01:41:34Z","timestamp":1760060494817,"version":"build-2065373602"},"reference-count":33,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2025,8,29]],"date-time":"2025-08-29T00:00:00Z","timestamp":1756425600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Malicious actors often exploit persistence mechanisms, such as unauthorized modifications to Windows startup directories or registry keys, to achieve privilege escalation and maintain access on compromised systems. While information technology (IT) teams legitimately use these AutoStart Extension Points (ASEPs), adversaries frequently deploy malicious binaries with non-standard naming conventions or execute files from transient directories (e.g., Temp or Public folders). This study proposes a threat-hunting framework using a custom Elasticsearch Security Information and Event Management (SIEM) system to detect such persistence tactics. Two hypothesis-driven investigations were conducted: the first focused on identifying unauthorized ASEP registry key modifications during user logon events, while the second targeted malicious Dynamic Link Library (DLL) injections within temporary directories. By correlating Sysmon event logs (e.g., registry key creation\/modification and process creation events), the researchers identified attack chains involving sequential registry edits and malicious file executions. Analysis confirmed that Sysmon Event ID 12 (registry object creation) and Event ID 7 (DLL loading) provided critical forensic evidence for detecting these tactics. The findings underscore the efficacy of real-time event correlation in SIEM systems in disrupting adversarial workflows, enabling rapid mitigation through the removal of malicious entries. This approach advances proactive defense strategies against privilege escalation and persistence, emphasizing the need for granular monitoring of registry and filesystem activities in enterprise environments.<\/jats:p>","DOI":"10.3390\/fi17090394","type":"journal-article","created":{"date-parts":[[2025,8,29]],"date-time":"2025-08-29T16:42:21Z","timestamp":1756485741000},"page":"394","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Elasticsearch-Based Threat Hunting to Detect Privilege Escalation Using Registry Modification and Process Injection Attacks"],"prefix":"10.3390","volume":"17","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7361-0465","authenticated-orcid":false,"given":"Akashdeep","family":"Bhardwaj","sequence":"first","affiliation":[{"name":"Centre for Cybersecurity, School of Computer Science, University of Petroleum and Energy Studies, Dehradun 248007, India"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8398-5030","authenticated-orcid":false,"given":"Luxmi","family":"Sapra","sequence":"additional","affiliation":[{"name":"Faculty Computer Application, Graphic Era Hill University, Dehradun 248002, India"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6763-6714","authenticated-orcid":false,"given":"Shawon","family":"Rahman","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Hawaii-Hilo, Hilo, HI 96720, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2025,8,29]]},"reference":[{"key":"ref_1","unstructured":"(2025, August 22). What is Privilege Escalation? Crowdstrike.Com. Available online: https:\/\/www.crowdstrike.com\/en-us\/cybersecurity-101\/cyberattacks\/privilege-escalation\/."},{"key":"ref_2","unstructured":"(2025, August 22). Paolomatarazzo. User Account Control\u2014Windows Security. Learn.Microsoft.Com. Available online: https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/user-account-control\/."},{"key":"ref_3","unstructured":"Lutkevich, B. (2025, August 22). What Is Access Control List (ACL)? TechTarget. Available online: https:\/\/www.techtarget.com\/searchnetworking\/definition\/access-control-list-ACL."},{"key":"ref_4","unstructured":"(2025, August 22). Alvinashcraft. Access Control Lists\u2014Win32 Apps. Learn.Microsoft.Com. Available online: https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/secauthz\/access-control-lists."},{"key":"ref_5","unstructured":"(2025, February 08). NVD\u2014Cve-2016-0189. Nist.Gov, Available online: https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2016-0189."},{"key":"ref_6","unstructured":"Lessing, M. (2025, August 22). Case Study: WannaCry Ransomware. SDxCentral. Available online: https:\/\/www.sdxcentral.com\/news\/bugpocalypse-now-zombieload-hits-intel-processors-microsoft-warns-of-wannacry-like-worm\/."},{"key":"ref_7","unstructured":"(2025, August 22). Process Injection\u2014Threat Detection Report. Red Canary. Available online: https:\/\/redcanary.com\/threat-detection-report\/techniques\/process-injection\/."},{"key":"ref_8","unstructured":"Compean, N. (2025, August 22). What Is Persistence in Cybersecurity and How Do You\u2026 BeyondTrust. Available online: https:\/\/www.beyondtrust.com\/blog\/entry\/what-is-persistence-in-cybersecurity."},{"key":"ref_9","unstructured":"(2025, August 22). Boot or Logon Autostart Execution: Registry Run Keys\/Startup Folder, Sub-Technique T1547.001\u2014Enterprise|MITRE ATT&CK\u00ae. Available online: https:\/\/attack.mitre.org\/techniques\/T1547\/001\/."},{"key":"ref_10","unstructured":"(2025, August 22). Scheduled Task\/Job, Technique T1053\u2014Enterprise|MITRE ATT&CK\u00ae .Attack.Mitre.Org. Available online: https:\/\/attack.mitre.org\/techniques\/T1053\/."},{"key":"ref_11","unstructured":"IBM (2025, August 22). Data exfiltration. Ibm.Com. Available online: https:\/\/www.ibm.com\/think\/topics\/data-exfiltration."},{"key":"ref_12","unstructured":"(2025, August 22). Mimikatz. GitHub. Available online: https:\/\/github.com\/ParrotSec\/mimikatz."},{"key":"ref_13","unstructured":"(2025, February 08). Cobalt Strike. GitHub. Available online: https:\/\/github.com\/cobalt-strike."},{"key":"ref_14","unstructured":"MITRE (2025, August 22). MITRE ATT&CKTM. Mitre.Org. Available online: https:\/\/attack.mitre.org\/."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Branescu, I., Grigorescu, O., and Dascalu, M. (2024). Automated Mapping of Common Vulnerabilities and Exposures to MITRE ATT&CK Tactics. Information, 15.","DOI":"10.3390\/info15040214"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"59289","DOI":"10.1109\/ACCESS.2024.3392338","article-title":"From Bytes to Insights: A Systematic Literature Review on Unraveling IDS Datasets for Enhanced Cybersecurity Understanding","volume":"12","author":"Khanan","year":"2024","journal-title":"IEEE Access"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Pratama, D., Suryanto, N., Adiputra, A.A., Le, T.-T.-H., Kadiptya, A.Y., Iqbal, M., and Kim, H. (2024). CIPHER: Cybersecurity Intelligent Penetration-Testing Helper for Ethical Researcher. Sensors, 24.","DOI":"10.3390\/s24216878"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"10189","DOI":"10.1109\/TIFS.2024.3488533","article-title":"TriAssetRank: Ranking Vulnerabilities, Exploits, and Privileges for Countermeasures Prioritization","volume":"19","author":"Bouom","year":"2024","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Ryu, D., Lee, S., Yang, S., Jeong, J., Lee, Y., and Shin, D. (2024). Enhancing Cybersecurity in Energy IT Infrastructure Through a Layered Defense Approach to Major Malware Threats. Appl. Sci., 14.","DOI":"10.3390\/app142210342"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"8440","DOI":"10.1109\/JIOT.2023.3322412","article-title":"A Comprehensive Detection Method for the Lateral Movement Stage of APT Attacks","volume":"11","author":"He","year":"2024","journal-title":"IEEE Internet Things J."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Kasri, W., Himeur, Y., Alkhazaleh, H.A., Tarapiah, S., Atalla, S., Mansoor, W., and Al-Ahmad, H. (2025). From Vulnerability to Defense: The Role of Large Language Models in Enhancing Cybersecurity. Computation, 13.","DOI":"10.3390\/computation13020030"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Paracha, M.A., Jamil, S.U., Shahzad, K., Khan, M.A., and Rasheed, A. (2024). Leveraging AI for Network Threat Detection\u2014A Conceptual Overview. Electronics, 13.","DOI":"10.3390\/electronics13234611"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"e26317","DOI":"10.1016\/j.heliyon.2024.e26317","article-title":"Detecting Lateral Movement: A Systematic Survey","volume":"10","author":"Smiliotopoulos","year":"2024","journal-title":"Heliyon"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"730","DOI":"10.3390\/iot5040033","article-title":"An Innovative Honeypot Architecture for Detecting and Mitigating Hardware Trojans in IoT Devices","volume":"5","author":"Omar","year":"2024","journal-title":"IoT"},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"4998","DOI":"10.1109\/TSG.2024.3373008","article-title":"Enhancing Cyber-Resiliency of DER-Based Smart Grid: A Survey","volume":"15","author":"Liu","year":"2024","journal-title":"IEEE Trans. Smart Grid"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"18951","DOI":"10.1109\/JIOT.2024.3349381","article-title":"Vulnerability of Machine Learning Approaches Applied in IoT-Based Smart Grid: A Review","volume":"11","author":"Zhang","year":"2024","journal-title":"IEEE Internet Things J."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"62341","DOI":"10.1109\/ACCESS.2025.3556184","article-title":"Threat Hunting the Shadows: Detecting Adversary Lateral Movement with Elasticsearch","volume":"13","author":"Alsharabi","year":"2025","journal-title":"IEEE Access"},{"key":"ref_28","first-page":"772","article-title":"A Model for Illegal File Access Tracking Using Windows Logs and Elastic Stack","volume":"17","author":"Kim","year":"2021","journal-title":"J. Inf. Process. Syst."},{"key":"ref_29","unstructured":"(2025, August 22). Getting Started: Use Elastic Security for SIEM|Starting with the Elasticsearch Platform and Its Solutions [8.12]|Elastic. Available online: https:\/\/www.elastic.co\/guide\/en\/starting-with-the-elasticsearch-platform-and-its-solutions\/current\/getting-started-siem-security.html."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"S95","DOI":"10.1016\/j.diin.2019.01.026","article-title":"Characteristics and detectability of Windows auto-start extensibility points in memory forensics","volume":"28","author":"DUroz","year":"2019","journal-title":"Digit. Investig."},{"key":"ref_31","unstructured":"(2025, August 22). Kibana: Explore, Visualize, Discover Data. Elastic. Available online: https:\/\/www.elastic.co\/kibana."},{"key":"ref_32","unstructured":"(2025, August 22). Lucene Query Syntax|Kibana Guide [8.12]|Elastic. www.elastic.co. Available online: https:\/\/www.elastic.co\/guide\/en\/kibana\/current\/lucene-query.html."},{"key":"ref_33","unstructured":"CrowdStrike Intelligence Team (2025, August 22). Technical Analysis of the WhisperGate Malicious Bootloader|CrowdStrike. Crowdstrike.Com. Available online: https:\/\/www.crowdstrike.com\/en-us\/blog\/technical-analysis-of-whispergate-malware\/."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/17\/9\/394\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:35:34Z","timestamp":1760034934000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/17\/9\/394"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,29]]},"references-count":33,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2025,9]]}},"alternative-id":["fi17090394"],"URL":"https:\/\/doi.org\/10.3390\/fi17090394","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2025,8,29]]}}}