Chapter 6: Host-Based Security and Endpoint Protection
Learning Objectives
Explain endpoint security technology functionality including HIDS, antimalware engines, and host-based firewalls
Compare signature-based, heuristic, and predictive AI/ML detection methods
Identify critical Windows and Linux operating system security components used by SOC analysts
Describe the role of attribution in cybersecurity investigations including IoC vs. IoA analysis and chain of custody
Pre-Assessment
Answer these questions before studying to establish your baseline. Don't worry if you don't know the answers yet.
Pre-Assessment — Chapter 6
1. What is the key difference between HIDS and HIPS?
2. According to CrowdStrike's 2025 Global Threat Report, approximately what percentage of 2024 detections were malware-free?
3. Which Windows process is the primary target for credential-dumping tools like Mimikatz?
4. What Windows Event ID indicates a successful logon?
5. Which Linux audit framework can log system calls at the kernel level regardless of application cooperation?
Section 1: Endpoint Security Technologies
1.1 HIDS vs. HIPS: Detection vs. Prevention
Every network ultimately connects to endpoints — workstations, servers, laptops, and containers. The endpoint is where users work, credentials are entered, code executes, and where most attackers ultimately want to be. Host-based security places detection, prevention, and visibility capabilities directly on the machine rather than relying solely on network chokepoints.
Host-Based Intrusion Detection System (HIDS) monitors system activity — file system changes, log entries, running processes, network connections — and generates alerts when anomalies are detected. It is a passive observer: it records and reports but does not block. HIDS is well suited to audit environments where stopping false positives from disrupting production systems is a higher priority than automatic prevention.
Host-Based Intrusion Prevention System (HIPS) adds an enforcement layer on top of detection. When the system identifies a match against a known attack pattern or behavioral threshold, it can terminate the process, quarantine the file, or block the network connection in real time. HIPS is active — powerful but requires careful tuning.
Think of HIDS as a smoke detector — it sounds the alarm when something burns. HIPS is the automatic sprinkler system — it sounds the alarm and douses the fire simultaneously.
Feature
HIDS
HIPS
Response
Alert only
Alert + Block/Terminate
False-positive risk
Low
High if poorly tuned
Use case
Compliance auditing, forensics
Active threat prevention
Example tools
OSSEC, Wazuh (detection mode)
CrowdStrike Falcon Prevent, Carbon Black
Modern Endpoint Detection and Response (EDR) platforms subsume both HIDS and HIPS capabilities into a unified agent while adding continuous telemetry recording and cloud-backed AI analysis.
flowchart LR
subgraph Endpoint["Endpoint Activity"]
A[Process Execution]
B[File System Change]
C[Network Connection]
D[Memory Injection]
end
subgraph HIDS["HIDS (Passive)"]
direction TB
H1[Monitor & Log]
H2[Generate Alert]
H1 --> H2
end
subgraph HIPS["HIPS (Active)"]
direction TB
P1[Monitor & Log]
P2[Generate Alert]
P3[Block / Terminate]
P1 --> P2 --> P3
end
subgraph EDR["EDR (Continuous + AI)"]
direction TB
E1[Collect Telemetry]
E2[AI/ML Scoring]
E3[Alert + Correlate]
E4[Automated Response]
E1 --> E2 --> E3 --> E4
end
Endpoint -->|Observed by| HIDS
Endpoint -->|Observed & enforced by| HIPS
Endpoint -->|Continuously streamed to| EDR
Detection Method Evolution
1.2 Antimalware Detection Methods
Signature-Based Detection compares file hashes, byte sequences, or known malicious strings against a database of known threats. Fast and precise for known malware, but blind to anything not yet catalogued.
Heuristic Detection looks for behaviors or structural characteristics that resemble malicious code — an executable that unpacks itself at runtime, injects into a running process, and reaches out to a random-looking domain, even if that specific file has never been seen before.
Predictive AI/ML Detection uses machine learning models trained on millions of samples to score new files and activities probabilistically. Rather than a binary match, the model outputs a confidence score. With 79% of 2024 detections being malware-free, behavioral and predictive methods are no longer optional — they are the primary defense layer.
Method
Mechanism
Strengths
Weaknesses
Signature-based
File hash / byte-sequence match
Fast, precise, no false positives for known malware
Blind to new/variant threats
Heuristic
Structural/behavioral pattern resemblance
Catches some zero-days
Higher false-positive rate
Predictive AI/ML
ML model scoring of features and behavior
Catches novel malware, fileless attacks
Requires large training data; model drift
Behavioral / IoA
Runtime sequence analysis
Detects attacks with no malware file
Complex to tune; context-dependent
1.3 Host-Based Firewalls and EDR
A host-based firewall enforces traffic policy at the OS level, independent of any network firewall. This matters for three reasons: (1) east-west traffic between systems on the same segment never passes through a perimeter firewall; (2) laptops leave the corporate network; (3) defense in depth provides a second enforcement point if the perimeter is bypassed.
EDR platforms like CrowdStrike Falcon and SentinelOne collect continuous behavioral telemetry: process creation (including full command-line arguments), parent-child process relationships, memory injection indicators, network connections, and file system modifications. The key insight is that correlation of multiple signals — not any single indicator — drives high-confidence detections.
A classic EDR catch: outlook.exe spawning powershell.exe with -EncodedCommand -WindowStyle Hidden that immediately initiates an outbound HTTPS connection. No single step is conclusive; the sequence is damning.
Key Points — Section 1
HIDS is passive (alert only); HIPS is active (alert + block/terminate). EDR implements both at scale with AI/ML.
Signature detection is precise for known malware but blind to new threats — heuristic and AI/ML methods fill the gap.
79% of 2024 detections were malware-free, making behavioral/IoA analysis the primary modern defense layer.
Host-based firewalls protect mobile endpoints and east-west traffic that never hits the perimeter.
6. An analyst wants to audit a production environment without risking false-positive disruptions. Which technology is most appropriate?
7. An attacker uses PowerShell with -EncodedCommand and -WindowStyle Hidden spawned from Outlook to download a payload in memory. Which detection method is BEST suited to catch this?
Section 2: Windows Security Components
2.1 The Authentication Stack: SAM, LSA, and LSASS
Understanding Windows authentication internals is essential for both securing systems and investigating compromises, because credential theft almost always targets these components.
Security Accounts Manager (SAM) — the database at C:\Windows\System32\config\SAM that stores local user NTLM password hashes. Locked by the OS while Windows is running. NTLM hashes enable pass-the-hash attacks — the attacker doesn't need the plaintext password.
Local Security Authority (LSA) — the security subsystem handling authentication policy, token generation, and enforcement. It checks credentials against SAM for local accounts or forwards to a domain controller for Kerberos validation.
LSASS (lsass.exe) — the process hosting the LSA. It maintains authenticated user sessions in memory — which is why it is the primary target of credential-dumping tools like Mimikatz (sekurlsa::logonpasswords).
Think of the SAM as a vault of keys, the LSA as the security guard checking your badge, and LSASS as the guard's active memory of everyone currently inside the building. Credential dumping is like pickpocketing the guard's memory rather than breaking into the vault.
Defending LSASS: Enable Credential Guard (virtualizes LSASS using VBS/hypervisor isolation); configure RunAsPPL (Protected Process Light) so only digitally signed processes can access LSASS memory; monitor Sysmon Event 10 (process accessed LSASS).
flowchart TD
User["User / Application (Login Request)"]
subgraph AuthStack["Windows Authentication Stack"]
LSASS["LSASS Process (lsass.exe)\nHosts the LSA in memory\nMaintains active session tokens\n⚠ Credential-dumping target (Mimikatz)"]
LSA["Local Security Authority (LSA)\nValidates credentials\nIssues security tokens"]
SAM["Security Accounts Manager (SAM)\nC:\\Windows\\System32\\config\\SAM\nStores NTLM hashes for local accounts"]
DC["Domain Controller\n(Kerberos validation for domain accounts)"]
end
DefenseLayer["Defenses: Credential Guard · RunAsPPL · Sysmon Event 10"]
User -->|Submits credential| LSASS
LSASS --> LSA
LSA -->|Local account| SAM
LSA -->|Domain account| DC
SAM -->|NTLM hash match → token| LSA
DC -->|Kerberos ticket → token| LSA
LSA -->|Security token granted| User
DefenseLayer -.->|Protects| LSASS
style LSASS fill:#4d2020,stroke:#f85149,color:#cdd9e5
style SAM fill:#2d333b,stroke:#58a6ff,color:#cdd9e5
style LSA fill:#2d333b,stroke:#58a6ff,color:#cdd9e5
style DefenseLayer fill:#1f3d2a,stroke:#3fb950,color:#cdd9e5
2.2 Windows Event Log and Critical Event IDs
The Windows Security event log (C:\Windows\System32\winevt\Logs\Security.evtx) is the primary source for authentication, authorization, and policy change monitoring. SOC analysts route this log to a SIEM and build correlation rules around high-value event ID sequences.
Category
Key Event IDs
Intrusion Relevance
Authentication
4624, 4625, 4634, 4648, 4768, 4776
Logon success/failure, explicit credentials, Kerberos; detects brute-force and pass-the-hash
Privilege Escalation
4672, 4964
Special privileges/sensitive groups assigned; flags admin rights abuse
Account Management
4720, 4726, 4738
User created/deleted, account modified; spots rogue account creation
New service installed, scheduled task created, service crash; primary persistence indicators
High-Risk AD
4765, 4766, 4794, 1102
SID History added, DSRM set, audit log cleared; signals AD compromise or cover-up
The classic SIEM correlation chain for brute-force to privilege escalation: multiple 4625 (failed logon) events from the same source IP → 4624 (successful logon) → 4672 (special privileges assigned). Event 1102 (audit log cleared) is a standalone critical alert — there is rarely a legitimate reason for this.
sequenceDiagram
participant Attacker
participant Target as Target Host
participant WinLog as Windows Security Log
participant SIEM
Attacker->>Target: Multiple failed login attempts
Target->>WinLog: Event 4625 (Failed Logon) × N
WinLog->>SIEM: Batch of 4625 events
SIEM-->>SIEM: Rule: ≥5 failures in 5 min → Alert MEDIUM
Attacker->>Target: Successful login (correct credential)
Target->>WinLog: Event 4624 (Successful Logon)
WinLog->>SIEM: Event 4624 from same source IP
SIEM-->>SIEM: Rule: 4625 spike + 4624 success → Escalate HIGH
Target->>WinLog: Event 4672 (Special Privileges Assigned)
WinLog->>SIEM: Event 4672 for same logon session
SIEM-->>SIEM: Rule: HIGH alert + 4672 → Escalate CRITICAL
Note over SIEM: Correlated chain: brute-force → credential success → privilege escalation
2.3 Windows Defender and the Registry
Windows Defender Antivirus is the built-in antimalware engine in modern Windows. In enterprise environments it is managed through Microsoft Defender for Endpoint, which provides cloud-delivered protection, automatic sample submission, and Attack Surface Reduction (ASR) rules — blocking high-risk behaviors like Office applications spawning child processes, independent of signatures.
Same, per-user — does not require admin rights to modify
HKLM\System\CurrentControlSet\Services
Service configuration — attackers create malicious services here
HKLM\Security\Policy\Secrets
LSA secrets — stores service account credentials
SIEM Event Correlation: Brute-Force to Privilege Escalation
Key Points — Section 2
SAM stores local NTLM hashes; LSA handles authentication policy; LSASS hosts both in memory and is the target for Mimikatz.
Defend LSASS with Credential Guard (VBS isolation) and RunAsPPL; monitor Sysmon Event 10 for LSASS access.
The 4625 → 4624 → 4672 event chain is the textbook SIEM rule for brute-force to privilege escalation.
Event 1102 (audit log cleared) is a standalone critical alert — no threshold required.
Registry Run keys and service entries are the primary persistence mechanisms; Event ID 4697/4698 monitors them.
Check Your Understanding — Section 2
8. An attacker runs Mimikatz's sekurlsa::logonpasswords command. What is the primary target?
9. A SOC analyst sees a spike of Event ID 4625 followed by Event ID 4624 followed by Event ID 4672, all from the same source IP within 6 minutes. What is the most likely scenario?
10. Which Windows defense virtualizes the LSASS process using hypervisor isolation to protect credential material?
Section 3: Linux Security Components
3.1 Users, Groups, and SELinux
Linux access control begins with the Unix model: every file, process, and resource has an owner, a group, and permissions (read/write/execute). Root (UID 0) bypasses most checks, making privilege escalation to root the primary goal of a Linux attacker.
Key files for investigation:
/etc/passwd — user account information (no longer stores hashed passwords in modern Linux)
/etc/shadow — hashed passwords, readable only by root
/etc/group — group definitions and membership
/etc/sudoers — defines which users can run commands as root via sudo; a persistence target
SELinux (Security-Enhanced Linux) is a Mandatory Access Control (MAC) framework developed by the NSA and integrated into the Linux kernel. While traditional permissions are discretionary (owner decides access), SELinux enforces system-wide policy that even root cannot override without explicit policy permission. Every process and file receives a security context label (e.g., system_u:system_r:httpd_t:s0).
SELinux Mode
Behavior
Enforcing
Policy enforced; violations are blocked and logged
Permissive
Policy not enforced; violations are logged only (used for policy development)
Disabled
SELinux is completely inactive
Think of traditional Linux permissions as an office where each employee decides who enters their own office. SELinux is a central building management system controlling every door — even the CEO cannot override those access rules without a policy change approved by the security team.
Structured binary logs from systemd units; efficient time-range filtering
auditd
ausearch, aureport, rules in /etc/audit/rules.d/
Kernel-level system call auditing — forensically complete regardless of application
auditd is the most powerful: it can audit any system call at the kernel level, track privilege escalation (setuid, capabilities), and generate AUID (Audit User ID) that persists across su/sudo — even if a user switches to root, the original login UID is preserved in audit records.
auditctl -a always,exit -F arch=b64 -S execve # Log all executions
auditctl -w /etc/passwd -p rwxa # Monitor /etc/passwd access
A deleted-file process technique: malware may delete its binary after execution. On Linux, the process continues running but ls -la /proc/<PID>/exe shows (deleted). The binary can be recovered: cat /proc/<PID>/exe > /tmp/recovered_binary.
3.3 iptables and nftables
iptables rules are organized in tables (filter, nat, mangle) and chains (INPUT, OUTPUT, FORWARD). The filter table handles host-based firewall policy.
# Block all inbound except established sessions and SSH
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
nftables is the modern replacement, providing a unified framework replacing iptables/ip6tables/arptables/ebtables with a single coherent syntax and better performance. The LOG target in both allows logging matched packets to syslog — essential for detecting lateral movement on systems without a dedicated EDR agent.
Linux Security Architecture — Defense Layers
Key Points — Section 3
Linux DAC (file permissions/sudoers) is the first access control layer; SELinux MAC enforces policy even root cannot override.
auditd provides kernel-level forensic completeness — it records syscalls regardless of whether applications cooperate, and AUID persists across sudo.
iptables/nftables provide host-based firewall enforcement; the LOG target feeds packet events to syslog for SIEM ingestion.
Deleted-file processes still run on Linux — recover them via /proc/<PID>/exe even after the on-disk binary is removed.
Check Your Understanding — Section 3
11. A malicious process running as root attempts to read files outside its designated security context. SELinux is in Enforcing mode. What happens?
12. An attacker compromises a web server, uses sudo to escalate to root, then deletes the malware binary. The process is still running. Which technique recovers the binary for analysis?
Section 4: Attribution and Investigation
4.1 Asset Identification and Inventory
Effective investigation begins with knowing what you have. You cannot determine whether an endpoint's behavior is anomalous without a baseline. A complete asset record includes: hardware identity (MAC, serial, asset tag), OS version and patch level, installed applications, network identifiers (IP, hostname, FQDN), assigned users and their role, normal traffic patterns, and security tools installed (EDR agent, AV version).
Asset inventory feeds detection context: a development workstation running a debugger that injects into processes is normal. A finance workstation doing the same thing is a critical alert.
4.2 Threat Actor Profiling
Attribution associates an attack with a specific threat actor — nation-state, criminal organization, hacktivist, or insider. True attribution is difficult, but profiling observed TTPs against MITRE ATT&CK narrows the field.
Indicators of Compromise (IoCs) are forensic artifacts that signal a past breach — file hashes, known C2 IP addresses, registry persistence keys, malicious user agent strings, mutex names. They are retrospective: "what happened?"
Indicators of Attack (IoAs) are behavioral signals indicating an attack is in progress, regardless of specific tools used — privilege escalation outside business hours, lateral movement via rapid multi-system authentication, Office applications spawning command interpreters. They are real-time: "what is happening now?"
Aspect
IoC
IoA
Timing
Retrospective — "what happened?"
Real-time — "what is happening now?"
Focus
Artifact / evidence
Behavior / intent
Value against novel attacks
Low — unknown malware has no known IoCs
High — attackers still must take actions
MITRE ATT&CK alignment
Confirms completed tactics
Maps to active kill chain stages
Example
evil.exe SHA-256 hash
word.exe spawning cmd.exe with encoded args
Ransomware scenario: IoC-based response identifies the LockBit binary hash, known C2 IPs, and the ransom note filename — useful for remediation. IoA-based detection would have caught the pre-encryption step 48 hours earlier: vssadmin delete shadows /all /quiet executed by a service account from a non-standard workstation. The IoA should have triggered containment before encryption began.
flowchart LR
subgraph KillChain["Cyber Kill Chain Stages"]
direction LR
S1["1. Recon"]
S2["2. Weaponize"]
S3["3. Deliver"]
S4["4. Exploit"]
S5["5. Install"]
S6["6. C2"]
S7["7. Actions"]
S1 --> S2 --> S3 --> S4 --> S5 --> S6 --> S7
end
IoA["IoA Detection\n(Behavioral)\n• Office spawns cmd.exe (S4)\n• VSS deletion (S6)\n• 2 AM outbound transfer (S7)\n→ Stops attack IN PROGRESS"]
IoC["IoC Detection\n(Forensic artifacts)\n• Malware hash (S5)\n• Known C2 IP (S6)\n• Registry persistence (S5)\n→ Confirms PAST compromise"]
IoA -.->|Covers stages 3-7 real time| KillChain
IoC -.->|Identifies artifacts post-compromise| KillChain
style IoA fill:#1f3d2a,stroke:#3fb950,color:#cdd9e5
style IoC fill:#2d333b,stroke:#58a6ff,color:#cdd9e5
4.4 Chain of Custody
Chain of custody is the documented, unbroken record of who collected evidence, how it was handled, stored, and transferred — from initial collection through legal or disciplinary proceedings. Without it, technically correct findings may be legally worthless.
Requirements:
Documentation at collection — who, when, from where, and what method (disk image, memory dump, log export)
Hash verification — compute SHA-256 of all digital evidence at collection; any copy must produce the same hash
Secure storage — physical evidence in tamper-evident bags; digital evidence in write-protected forensic containers (E01, AFF4)
Access logging — every person accessing evidence is logged with date, time, and purpose
Transfer receipts — both parties sign when evidence moves between custodians
Think of chain of custody as the property room in a police station — every item is logged in and out, who touched it is recorded, and the log proves the evidence has not been tampered with between the crime scene and the courtroom.
Key Points — Section 4
Asset inventory is the prerequisite for detection — without a baseline, you cannot identify anomalous behavior.
Threat actor profiling against MITRE ATT&CK enables prediction of next moves and prioritization of remediation.
IoCs are retrospective artifacts (file hashes, C2 IPs); IoAs are real-time behavioral signals (privilege escalation, lateral movement).
IoAs provide detection value against novel attacks where no known IoCs exist — attackers must still take actions even with new tools.
Chain of custody transforms technical findings into legally defensible evidence; SHA-256 hash verification proves integrity.
Check Your Understanding — Section 4
13. An EDR platform alerts on vssadmin delete shadows /all /quiet executed by a service account 48 hours before ransomware detonates. This is an example of:
14. A forensic analyst collects a disk image at an incident scene. What is the FIRST action to ensure admissibility of the evidence?
15. Which statement BEST distinguishes IoC from IoA?