Post-event detection refers to analyzing collected telemetry and identifying suspicious or malicious activity after it has been executed.
Relies on stored logs, metadata, or behavioral correlations.
Focused on forensic investigation, threat hunting, and response.
Typically implemented in the EDR’s backend, SIEM systems, or cloud analytics.
Abnormal process trees (e.g., Word spawning PowerShell).
Suspicious registry key changes or persistence artifacts.
Rare or high-entropy network connections.
Detection of known malware hashes after the fact.
The goal is to minimize artifacts left behind.
Living-off-the-land techniques (LOLbins) and fileless execution help avoid post-mortem patterns.
Metadata minimization is key: don’t stand out.
Last updated 8 months ago