Cover Image for How to Investigate Code Intent with ChatGPT
Blog

How to Investigate Code Intent with ChatGPT

05.23.23 | By Brian Greunke

Like many other security professionals, we are currently fascinated with exploring the possibilities the recently released ChatGPT creates for our security teams. But tools, software, and technologies have strengths, weaknesses, costs, benefits, and tradeoffs. These Large Language Models (LLMs) are no different. Understanding the appropriate use cases of these tools is a fascinating learning experience. As an organization who values people over process over technology, we are exploring the opportunities to augment or assist our people and our processes using this technology.

Current Operations (COPs) in the SOC

Again, like many other organizations who operate a modern SOC, one of our goals is to incorporate automation which can reduce analyst fatigue and return deterministic results. One such opportunity we are exploring is analysis of potentially malicious commands executed.

As an example, Sentinel comes with a built-in rule templates which can detect potentially malicious PowerShell commands when executed on an endpoint. In the past I’ve seen incredibly complex, business-critical PowerShell scripts which are executed on a production Exchange Server, Domain Controller, and other valuable assets. (For a moment let’s disregard the “appropriateness” of this behavior and just recognize that “it happens.”)

Executing these scripts inevitably triggers alerts from whatever detection system is in place, and rightfully so. Alternatively, if an attacker builds a malicious script, they may obfuscate the code and/or intent. In either case, deciphering what the script is doing is important. SO, before triaging alerts, tuning rules, or updating detections, analysts are often first required to understand what the heck is going on.

Often, this consists of one of the following:

  • Parsing the code, line by line (if it even has more than one line!) to read, process, and understand the script
  • Execute the code in a sandbox, with some sort of analysis tool and/or a debugger

In either case, this can be complex, cumbersome, and challenging for new analysts. When the code is NOT malicious, it’s additionally taxing to have spent time debugging an IT administrator’s automation script unnecessarily.

Using Machine Learning

Enter ChatGPT. ChatGPT is an interface to a LLM which excels at producing human-like language or writing. This is the perfect use case (deciphering unreadable code) into something a human being can better interpret. Not every analyst is going to be an expert in PowerShell, and deciphering intent from code is an even more challenging problem. Rather than trying to boil the ocean, let’s augment our analysts with that first step: understand the actions that a script is taking.

Let’s consider the following PowerShell script which simply downloads and runs an executable.

At first glance, this script is challenging to read. It doesn’t appear to be purposefully obfuscated, but the intent is not immediately evident. And it’s potentially unreadable by someone who isn’t well versed in PowerShell.

If we drop this into ChatGPT with a purposefully crafted prompt, we get the following response back:

Much easier! ChatGPT did an awesome job deciphering this script and any analyst should be able to understand the actions this script is taking! Now they can begin appropriate follow-on actions armed with more knowledge.

Turn it up to 11

Now, let’s take it one step further, using the same script but purposefully obfuscated:

This is entirely unreadable as it’s been Base64 encoded. An analyst is likely to understand that is has been encoded but will require extra steps to (first) decode it, (then) try to understand it. ChatGPT fortunately can do both at once!

The response indicates a pretty good (and similar) response to the original (decoded) request. It also INCREASED the confidence of malice, likely due to the fact that the script is encoded which often indicates a purposeful attempt to obfuscate the commands.

Closing and Next Steps

We can take this a step further and automate the analysis using Playbooks in Azure Sentinel. When an Incident is created in Sentinel which meets the criteria filters to identify a PowerShell script, we can execute a Logic App to interface with the analysis engine. Now, rather than an analyst dropping into the browser, they can just check the comments in the Incident!

Again, this process will not replace an analyst, nor does it feel ready to execute fully autonomously, without human oversight, but it can certainly HELP our analysts, reduce some complexity, and save time and money.

If you are interested in speaking with our experts about how to execute our intel-driven, threat-informed approach to a modern SOC, please reach out to info@meetascent.com.

Share this Post
Whether you’re starting your cybersecurity journey or you’re improving your security posture, our team is passionate about protecting your people and business.
content
Blog
Why Purdue Model Level 0 Is the Most Important to Secure

February 6, 2024 – If you had to divide a business into operating layers and prioritize by importance, how would you do it? Cybersecurity strategy must rank which risk is most likely to topple a business’ continuity.

content
Blog
Enabling Microsoft Security Copilot

December 19, 2023 – Security Copilot is Microsoft’s generative AI complement to its unified security platform. Here’s how to plan a security-aware implementation.

content
Blog
How to Respond to the United States AI Executive Order

December 12, 2023 – How should businesses respond to the United States’ AI Executive Order?