• observability
• malware-detection
• cloud

Organizations have been adopting cloud-based IT solutions to provide their services regardless of their operating sectors. Moreover, the adoption of cloud-based services supporting the business processes of organizations has been accelerated by the COVID-19 pandemic, so cloud infrastructures have increasingly become one of the main attackers' targets. Nowadays, malware has become one of the main threats. Therefore, the thesis proposes one approach to discovering that after breaching into the system, the attacker deployed a type of malware, namely the post-exploitation tool, on a cloud server. Precisely, a post-exploitation tool can be seen as a type of malware that allows attackers to execute any kind of unwanted and malicious activity on the compromised machine, including Advanced Persistent Threats APT(s), data leakage, or crypto mining. The idea consists of detecting such activities by looking into process-level observability metrics e.g., CPU usage, Disk usage, Network usage, and so on, to devise a heuristic malware detection algorithm. The algorithm has been deployed with the Dynatrace observability platform to build up a detection system representing the Proof of Concept (PoC). The PoC shows how malicious software can be detected by investigating simple process-level observability metrics such as Disk Usage and Network Usage. Our research defined a threat model and one attacker's objective during the post-exploitation phase which defines the scope of the thesis.