CrowdStrike 2025 Threat Hunting Report – Part 6: Endpoint Hunting

To exploit defenders, adversaries also rely on endpoint exploitation to steal credentials, facilitate lateral movement, and establish persistence. The 2025 report highlights how groups use advanced techniques to breach Linux systems and evade detection.

Case Study:

One of the most notable findings is GLACIAL PANDA’s use of ShieldSlide, a trojanized Open SSH binary:

- Deployed on compromised Linux hosts

- Logs user authentication sessions to harvest credentials

- Provides backdoor access, allowing attackers to authenticate as any account, including root when a hardcoded password is used

Although ShieldSlide appears nearly identical to legitimate OpenSSH binaries, small modifications in the source code log credentials and support stealth persistence.

Endpoint Observations

The report stresses that successful endpoint hunting requires looking beyond malware signatures and into behavioral anomalies:

- Detecting low-prevalence binaries that don’t match standard system builds

- Monitoring logon anomalies tied to trojanized authentication tools

- Correlating endpoint telemetry with identity or cloud data to track pivots

- Adversaries frequently employ “living off the land” techniques on endpoints— abusing built-in Linux and Windows utilities to avoid detection.

Endpoints continue to play a pivotal role in adversary operations. The ShieldSlide case is a perfect example. Attackers can subtly modify trusted binaries to harvest hasztag#credentials and create backdoors. For defenders, endpoint hunting means embracing a forensic mindset: looking for anomalies that appear benign in isolation but signal compromise when correlated across domains.

Author: Sebastian Burgemejster