{"id":"https://openalex.org/W4413824425","doi":"https://doi.org/10.3390/fi17090394","title":"Elasticsearch-Based Threat Hunting to Detect Privilege Escalation Using Registry Modification and Process Injection Attacks","display_name":"Elasticsearch-Based Threat Hunting to Detect Privilege Escalation Using Registry Modification and Process Injection Attacks","publication_year":2025,"publication_date":"2025-08-29","ids":{"openalex":"https://openalex.org/W4413824425","doi":"https://doi.org/10.3390/fi17090394"},"language":"en","primary_location":{"id":"doi:10.3390/fi17090394","is_oa":true,"landing_page_url":"https://doi.org/10.3390/fi17090394","pdf_url":"https://www.mdpi.com/1999-5903/17/9/394/pdf?version=1756476538","source":{"id":"https://openalex.org/S34838331","display_name":"Future Internet","issn_l":"1999-5903","issn":["1999-5903"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Future Internet","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://www.mdpi.com/1999-5903/17/9/394/pdf?version=1756476538","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5090659568","display_name":"Akashdeep Bhardwaj","orcid":"https://orcid.org/0000-0001-7361-0465"},"institutions":[{"id":"https://openalex.org/I5847235","display_name":"University of Petroleum and Energy Studies","ror":"https://ror.org/04q2jes40","country_code":"IN","type":"education","lineage":["https://openalex.org/I5847235"]}],"countries":["IN"],"is_corresponding":true,"raw_author_name":"Akashdeep Bhardwaj","raw_affiliation_strings":["Centre for Cybersecurity, School of Computer Science, University of Petroleum and Energy Studies, Dehradun 248007, India"],"raw_orcid":"https://orcid.org/0000-0001-7361-0465","affiliations":[{"raw_affiliation_string":"Centre for Cybersecurity, School of Computer Science, University of Petroleum and Energy Studies, Dehradun 248007, India","institution_ids":["https://openalex.org/I5847235"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5030726518","display_name":"Luxmi Sapra","orcid":"https://orcid.org/0000-0002-8398-5030"},"institutions":[{"id":"https://openalex.org/I60054993","display_name":"Graphic Era University","ror":"https://ror.org/03wqgqd89","country_code":"IN","type":"education","lineage":["https://openalex.org/I60054993"]}],"countries":["IN"],"is_corresponding":false,"raw_author_name":"Luxmi Sapra","raw_affiliation_strings":["Faculty Computer Application, Graphic Era Hill University, Dehradun 248002, India"],"raw_orcid":"https://orcid.org/0000-0002-8398-5030","affiliations":[{"raw_affiliation_string":"Faculty Computer Application, Graphic Era Hill University, Dehradun 248002, India","institution_ids":["https://openalex.org/I60054993"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5101637251","display_name":"Syed M Rahman","orcid":"https://orcid.org/0000-0001-6763-6714"},"institutions":[{"id":"https://openalex.org/I35722693","display_name":"University of Hawaii at Hilo","ror":"https://ror.org/02mp2av58","country_code":"US","type":"education","lineage":["https://openalex.org/I35722693"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Shawon Rahman","raw_affiliation_strings":["Department of Computer Science, University of Hawaii-Hilo, Hilo, HI 96720, USA"],"raw_orcid":"https://orcid.org/0000-0001-6763-6714","affiliations":[{"raw_affiliation_string":"Department of Computer Science, University of Hawaii-Hilo, Hilo, HI 96720, USA","institution_ids":["https://openalex.org/I35722693"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5090659568","https://openalex.org/A5101637251"],"corresponding_institution_ids":["https://openalex.org/I35722693","https://openalex.org/I5847235"],"apc_list":{"value":1400,"currency":"CHF","value_usd":1515},"apc_paid":{"value":1400,"currency":"CHF","value_usd":1515},"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.24892515,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"17","issue":"9","first_page":"394","last_page":"394"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10917","display_name":"Smart Grid Security and Resilience","score":0.968500018119812,"subfield":{"id":"https://openalex.org/subfields/2207","display_name":"Control and Systems Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10917","display_name":"Smart Grid Security and Resilience","score":0.968500018119812,"subfield":{"id":"https://openalex.org/subfields/2207","display_name":"Control and Systems Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11357","display_name":"Risk and Safety Analysis","score":0.9617000222206116,"subfield":{"id":"https://openalex.org/subfields/1804","display_name":"Statistics, Probability and Uncertainty"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.945900022983551,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8033179044723511},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.597644567489624},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.5660550594329834},{"id":"https://openalex.org/keywords/de-escalation","display_name":"De-escalation","score":0.5057718753814697},{"id":"https://openalex.org/keywords/privilege","display_name":"Privilege (computing)","score":0.49589666724205017},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.31260359287261963},{"id":"https://openalex.org/keywords/law","display_name":"Law","score":0.19352158904075623},{"id":"https://openalex.org/keywords/political-science","display_name":"Political science","score":0.12065589427947998}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8033179044723511},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.597644567489624},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.5660550594329834},{"id":"https://openalex.org/C2776056953","wikidata":"https://www.wikidata.org/wiki/Q1182511","display_name":"De-escalation","level":2,"score":0.5057718753814697},{"id":"https://openalex.org/C2780138299","wikidata":"https://www.wikidata.org/wiki/Q3404265","display_name":"Privilege (computing)","level":2,"score":0.49589666724205017},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.31260359287261963},{"id":"https://openalex.org/C199539241","wikidata":"https://www.wikidata.org/wiki/Q7748","display_name":"Law","level":1,"score":0.19352158904075623},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.12065589427947998}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.3390/fi17090394","is_oa":true,"landing_page_url":"https://doi.org/10.3390/fi17090394","pdf_url":"https://www.mdpi.com/1999-5903/17/9/394/pdf?version=1756476538","source":{"id":"https://openalex.org/S34838331","display_name":"Future Internet","issn_l":"1999-5903","issn":["1999-5903"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Future Internet","raw_type":"journal-article"},{"id":"pmh:oai:doaj.org/article:9c1c0ac5bc274338ba9ecf8c185b1ecb","is_oa":true,"landing_page_url":"https://doaj.org/article/9c1c0ac5bc274338ba9ecf8c185b1ecb","pdf_url":null,"source":{"id":"https://openalex.org/S4306401280","display_name":"DOAJ (DOAJ: Directory of Open Access Journals)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by-sa","license_id":"https://openalex.org/licenses/cc-by-sa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Future Internet, Vol 17, Iss 9, p 394 (2025)","raw_type":"article"}],"best_oa_location":{"id":"doi:10.3390/fi17090394","is_oa":true,"landing_page_url":"https://doi.org/10.3390/fi17090394","pdf_url":"https://www.mdpi.com/1999-5903/17/9/394/pdf?version=1756476538","source":{"id":"https://openalex.org/S34838331","display_name":"Future Internet","issn_l":"1999-5903","issn":["1999-5903"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Future Internet","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4413824425.pdf","grobid_xml":"https://content.openalex.org/works/W4413824425.grobid-xml"},"referenced_works_count":14,"referenced_works":["https://openalex.org/W2942070238","https://openalex.org/W4387415009","https://openalex.org/W4390547604","https://openalex.org/W4391849119","https://openalex.org/W4392450052","https://openalex.org/W4394692031","https://openalex.org/W4394994483","https://openalex.org/W4403835869","https://openalex.org/W4403918261","https://openalex.org/W4404064052","https://openalex.org/W4404247531","https://openalex.org/W4404639181","https://openalex.org/W4406928793","https://openalex.org/W4409014337"],"related_works":["https://openalex.org/W2374400535","https://openalex.org/W2026661114","https://openalex.org/W1603110617","https://openalex.org/W2108239983","https://openalex.org/W2892079901","https://openalex.org/W2940342784","https://openalex.org/W2134261832","https://openalex.org/W4301379134","https://openalex.org/W4385764548","https://openalex.org/W2378735042"],"abstract_inverted_index":{"Malicious":[0],"actors":[1],"often":[2],"exploit":[3],"persistence":[4,79],"mechanisms,":[5],"such":[6,78],"as":[7],"unauthorized":[8,91],"modifications":[9,95],"to":[10,17,76],"Windows":[11],"startup":[12],"directories":[13,53],"or":[14,48,56],"registry":[15,93,119,133,206],"keys,":[16],"achieve":[18],"privilege":[19,195],"escalation":[20,196],"and":[21,71,122,135,149,197,207],"maintain":[22],"access":[23],"on":[24,89],"compromised":[25],"systems.":[26],"While":[27],"information":[28],"technology":[29],"(IT)":[30],"teams":[31],"legitimately":[32],"use":[33],"these":[34,161],"AutoStart":[35],"Extension":[36],"Points":[37],"(ASEPs),":[38],"adversaries":[39],"frequently":[40],"deploy":[41],"malicious":[42,104,136,186],"binaries":[43],"with":[44],"non-standard":[45],"naming":[46],"conventions":[47],"execute":[49],"files":[50],"from":[51],"transient":[52],"(e.g.,":[54,118],"Temp":[55],"Public":[57],"folders).":[58],"This":[59,188],"study":[60],"proposes":[61],"a":[62,66],"threat-hunting":[63],"framework":[64],"using":[65],"custom":[67],"Elasticsearch":[68],"Security":[69],"Information":[70],"Event":[72,143,150],"Management":[73],"(SIEM)":[74],"system":[75],"detect":[77],"tactics.":[80,162],"Two":[81],"hypothesis-driven":[82],"investigations":[83],"were":[84],"conducted:":[85],"the":[86,101,126,166,183,200],"first":[87],"focused":[88],"identifying":[90],"ASEP":[92],"key":[94,120],"during":[96],"user":[97],"logon":[98],"events,":[99],"while":[100],"second":[102],"targeted":[103],"Dynamic":[105],"Link":[106],"Library":[107],"(DLL)":[108],"injections":[109],"within":[110],"temporary":[111],"directories.":[112],"By":[113],"correlating":[114],"Sysmon":[115,142],"event":[116,170],"logs":[117],"creation/modification":[121],"process":[123],"creation":[124],"events),":[125],"researchers":[127],"identified":[128],"attack":[129],"chains":[130],"involving":[131],"sequential":[132],"edits":[134],"file":[137],"executions.":[138],"Analysis":[139],"confirmed":[140],"that":[141],"ID":[144,151],"12":[145],"(registry":[146],"object":[147],"creation)":[148],"7":[152],"(DLL":[153],"loading)":[154],"provided":[155],"critical":[156],"forensic":[157],"evidence":[158],"for":[159,202],"detecting":[160],"The":[163],"findings":[164],"underscore":[165],"efficacy":[167],"of":[168,185,205],"real-time":[169],"correlation":[171],"in":[172,175,210],"SIEM":[173],"systems":[174],"disrupting":[176],"adversarial":[177],"workflows,":[178],"enabling":[179],"rapid":[180],"mitigation":[181],"through":[182],"removal":[184],"entries.":[187],"approach":[189],"advances":[190],"proactive":[191],"defense":[192],"strategies":[193],"against":[194],"persistence,":[198],"emphasizing":[199],"need":[201],"granular":[203],"monitoring":[204],"filesystem":[208],"activities":[209],"enterprise":[211],"environments.":[212]},"counts_by_year":[],"updated_date":"2026-05-21T06:26:12.895304","created_date":"2025-10-10T00:00:00"}
