For years, I have been focused on finding the optimal way to detect threats. However, this is a highly complex task, as there is no absolute method to definitively determine whether an activity is malicious, unless you only rely on low-level indicators. It is true that certain behaviors can be considered malicious in most cases, such as a process loaded from AppData using a TrustedInstaller token, but this is not something that occurs frequently. In other scenarios, such as the use of anti-debugging techniques in BOF (Beacon Object File) through NtDelayExecution, identifying the optimal detection point can range from simply searching for the sleep import in an executable to inspecting thread call stacks. While both approaches are effective, thread stack analysis is significantly more precise, though at a higher cost than analyzing an executable’s import table. This reality highlights the need to establish a strategy that enables defensive teams to do more with less, which is why I will discuss the concept of Resilient Detection, not only from a technical standpoint but also from a broader, strategic perspective.
First and foremost, it is necessary to understand the current ecosystem. Today, and particularly in this part of the hemisphere, the digital ecosystem is composed of Windows and Unix systems, major public cloud environments (Azure, GCP, and AWS), the global supply chain, Artificial Intelligence and essential services such as email, identity, and application platforms. The dynamic nature of this ecosystem introduces new needs, opportunities, and challenges for adversaries and, in parallel, new detection strategies.
Needs: objectives that may range from credential exfiltration for resale to maintaining persistence within an organization to steal critical information.
Opportunities: these are highly dependent on the victim’s environment but exist within the context of the modern ecosystem. For example, cloud environments provide new opportunities for initial access, persistence, and exfiltration when compared to traditional on-premises infrastructures.
Challenges: these include regulatory constraints, the adoption of new preventive technologies, and changes in attack surfaces. As an example, on-premises Exchange services are no longer supported by Microsoft, driving adoption of Exchange Online and reducing the effectiveness of web shells and other techniques traditionally used in those environments.
These factors alter the threat landscape, compelling adversaries to evolve the methods they use to accomplish their goals.
Due to these factors, many hostile actors choose to rely on techniques that, within the current ecosystem, enable them to achieve their objectives.
If we look at several operations conducted by Midnight Blizzard (SVR) and some attributed to Mint Sandstorm (IRGC), and cluster their activities, it becomes clear that a number of their techniques and infrastructure elements converge.
This alignment provides valuable insight from an intelligence perspective, enabling deliverables to be focused not only on the sectors and regions targeted by hostile actors, but also on shared techniques and broader trends around what works and what does not, trends that are largely agnostic to specific sectors or regions. At the same time, it creates an opportunity to reassess detection strategies, from visibility requirements to Threat Hunting teams, and to redefine priorities accordingly. It is worth noting that, according to Splunk, 62% of Threat Hunting teams do not update their hunting scenarios. This highlights a broader issue: both hunting units and visibility requirements often fail to adapt to a changing ecosystem, where techniques that were once effective for detecting malware are no longer efficient.
If we examine Figure 2, we can identify that one of the converging techniques is the reflective loading of malicious code, as it has proven effective in an ecosystem dominated by XDR and EDR solutions. This is a clear example of how evolving needs, opportunities, and challenges have driven both Midnight Blizzard and Mint Sandstorm to adopt the same technique, thought with differences in their procedures.
However, they are not the only threat actors to do so. According to MITRE, groups such as Lazarus, Mustang Panda, and Gamaredon, among others, have also adopted this technique. If we look at the following image, we can observe additional threat actors and tools that leverage reflective injections as part of their arsenal, each implementing it through different procedures. This diversity significantly increases the complexity and dynamism of the Threat Hunting analyst’s work.
How can we counter such a dynamic ecosystem, where, according to IBM, 83% of Threat Hunting teams report that new techniques emerge faster than they can be processed. This can be achieved through Resilient Detection.
Resilient Detection is the practice of advanced identification of malicious activity, focusing on disrupting attacks by adapting to the adversary’s evolving tactics and by mastering the environment managed by the threat hunter. To implement this strategy effectively, two core principles must be followed:
Area of Operations: the system’s limitations and the behavior the environment exhibits during an attack. In other words, the paths an actor must take to maintain persistence within a given environment. Windows operating systems do not offer countless ways to achieve persistence; in fact, according to MITRE, the most used techniques include the Run registry key, startup folders, and scheduled tasks, along with only a few additional options. These limitations force adversaries to make choices among a constrained set of possibilities. From the hunter’s perspective, the specific procedure chosen by the hostile actor is largely irrelevant, the focus is instead placed on monitoring the activity associated with those persistence mechanisms.
A similar example can be found in Cobalt Strike beacons, even when symbol obfuscation techniques, jitter values, and other parameters are modified, the analyst will examine the call stack in search of ntdll.dll!NtDelayExecution. It is worth noting that there are obfuscation techniques for Cobalt Strike’s sleep functionality, however, these depend on the actor’s level of sophistication, which leads us to the next principle:
Adversary Knowledge: understanding the capabilities of adversaries, as well as the procedures, techniques, and tactics they employ to carry out attacks. This involves analyzing how they adapt to the current ecosystem to bypass defenses and exploit vulnerabilities. This is not about knowing that Volt Typhoon can use PowerShell, that is not the objective. The goal is to understand the actor’s strategic and tactical activities, how they adapt to the ecosystem, and to assess their level of sophistication and operational security (OPSEC). It is about identifying patterns that can be derived through the process of threat activity clustering. When combined with the first principle, this enables the definition of Resilient Detection strategies tailored to an actor’s activity.
Rather than focusing on what Volt Typhoon knows about windows binaries, it may be more effective to identify its modus operandi, such as DLL side-loading and its defining characteristics.
Using reflective injection as an example, defining a separate hunting scenario for every procedure used by each actor would be impractical and unsustainable. Instead, we can study the technique itself and determine the most effective way to detect it. If we think of a house with two windows and a door, and a burglar’s goal is to break in, they have to enter either through the door or through the windows. They may use a hammer, lock-picking tools, a shotgun, or even a magic key, but they still have to pass through the house’s entry points. That is precisely where we would place our visibility and detection costs.
If we examine Figure 3, we can observe that Mint Sandstorm uses a tool known as RunPE-In-Memory, which reflectively loads a malicious PE into system memory. This involves manually assembling all PE components, from the header and Import Address Table to memory relocations, without relying on the Windows loader. In contrast, Aqua Blizzard achieves the same technique using .NET System.Reflection classes, a less sophisticated and therefore less costly approach than that employed by Mint Sandstorm, while still achieving the same outcome.
From a Threat Hunting perspective, it would be possible to monitor both procedures. However, in the case of Mint Sandstorm, this becomes significantly more complex due to the use of a C++ compiled tool, which may limit detection to process creation events or PowerShell invocation, when applicable. Alternatively, by applying the first principle, the Area of Operations, we can focus on understanding how the system behaves when a PE is manually loaded into memory, regardless of whether the implementation is in C++ or C#.
In the case of RunPE-In-Memory, manual executable loading is characterized by mapping the entire file into a single memory segment, rather than mapping it section by section as the operating system normally would. This behavior is driven by the cost associated with performing section-by-section mapping (Figure 4). In the case of Aqua Blizzard, analysis would instead focus on identifying assemblies without disk backing, lacking standard flags, and exhibiting random or otherwise suspicious naming patterns.
It is important to emphasize that as techniques increase in sophistication, the effort and cost associated with visibility, detection engineering, and analysis increase accordingly.
To conclude, Resilient Detection should not be viewed as a trivial or quick-win strategy. Achieving it requires sustained effort, deep understanding of the environment, and significant investment of time. However, the long-term payoff is substantial: reduced alert noise, lower operational fatigue across security teams, and a decisive shift in focus toward high- and critical-severity alerts with a genuine likelihood of impact. Ultimately, Resilient Detection enables security teams to move from reactive alert handling to proactive, intelligence-driven defense.
Speak Your Mind