·1 min read·Blog

The Death of Static Lineage: Fusing Co-Occurrence Math with Call Stack Anomalies

SM
Siddhant Mishra

Threat Researcher

Detection EngineeringThreat Hunting

The security industry has historically relied on monitoring parent-child process trees to identify malicious execution. If Microsoft Word spawns a command shell, a static rule triggers. However, advanced adversaries - particularly those operating in high-stakes financial and telecommunications sectors - are fully aware of these static registries.

To evade detection, threat actors leverage Living-off-the-Land (LotL) binaries to blend into benign administrative noise. When combined with unbacked memory injection, adversaries successfully sever the visible lineage, rendering traditional path-based whitelisting and static rule registries dead. Modern detection engineering requires a shift toward mathematical baselines fused with Entity-Relationship (ER) graphs and LLM reasoning loops.

Related articles

Fileless Malware and Process-Based Attacks Analysis

Fileless malware is one of the most dangerous and evasive attack techniques. Unlike traditional malware, it leaves no files on disk; instead, it hides inside the system's own trusted processes and tools, making it nearly invisible to conventional security software. In this article, we break down how fileless and process-based attacks work, how attackers use built-in Windows utilities like PowerShell and WMI to execute malicious code entirely in memory, and what defenders need to do to detect and stop them before it's too late.

GTG-1002: AI Orchestrated Cyber Espionage Campaign

In mid-September 2025, Anthropic's Threat Intelligence team detected and disrupted a cyber espionage campaign attributed with high confidence to a Chinese state-sponsored group designated GTG-1002. It's considered the first documented AI-orchestrated cyberattack at this scale (Involving all phases of a cyber kill chain majorly done by AI). The attackers manipulated Claude Code into acting as an autonomous attack agent by social engineering it. They built a framework using Claude Code and Model Context Protocol (MCP) tools to run the attack largely without human involvement. The AI handled 80–90% of all tactical operations, including reconnaissance, vulnerability discovery, exploitation, credential harvesting, lateral movement, and data exfiltration. Human operators only stepped in at strategic decision points like approving escalation to active exploitation or authorizing final data exfiltration.

ATT&CKv19: Changes in MITRE ATT&CK® Framework

MITRE ATT&CK v19.1 introduces significant updates across the Enterprise, Mobile, and ICS domains, enhancing the framework’s ability to model modern adversary behavior. Key changes include the introduction of the new Defense Impairment tactic, the renaming of Defense Evasion to Stealth, expanded threat intelligence coverage with new threat groups, software, and campaigns, and the addition of ICS sub-techniques for greater analytical granularity. This article explores the major differences between ATT&CK v18.1 and v19.1, highlighting the impact of these changes on threat intelligence, detection engineering, and cybersecurity operations.

We use cookies to provide essential site functionality and, with your consent, to analyze site usage and enhance your experience. View our Privacy Policy