Like many other security professionals, we are currently fascinated with exploring the possibilities the recently released ChatGPT creates for our security teams. But tools, software, and technologies have strengths, weaknesses, costs, benefits, and tradeoffs. These Large Language Models (LLMs) are no different. Understanding the appropriate use cases of these tools is a fascinating learning experience. As an organization who values people over process over technology, we are exploring the opportunities to augment or assist our people and our processes using this technology.
Current Operations (COPs) in the SOC
Again, like many other organizations who operate a modern SOC, one of our goals is to incorporate automation which can reduce analyst fatigue and return deterministic results. One such opportunity we are exploring is analysis of potentially malicious commands executed.
As an example, Sentinel comes with a built-in rule templates which can detect potentially malicious PowerShell commands when executed on an endpoint. In the past I’ve seen incredibly complex, business-critical PowerShell scripts which are executed on a production Exchange Server, Domain Controller, and other valuable assets. (For a moment let’s disregard the “appropriateness” of this behavior and just recognize that “it happens.”)
Executing these scripts inevitably triggers alerts from whatever detection system is in place, and rightfully so. Alternatively, if an attacker builds a malicious script, they may obfuscate the code and/or intent. In either case, deciphering what the script is doing is important. SO, before triaging alerts, tuning rules, or updating detections, analysts are often first required to understand what the heck is going on.
Often, this consists of one of the following:
- Parsing the code, line by line (if it even has more than one line!) to read, process, and understand the script
- Execute the code in a sandbox, with some sort of analysis tool and/or a debugger
In either case, this can be complex, cumbersome, and challenging for new analysts. When the code is NOT malicious, it’s additionally taxing to have spent time debugging an IT administrator’s automation script unnecessarily.
Using Machine Learning
Enter ChatGPT. ChatGPT is an interface to a LLM which excels at producing human-like language or writing. This is the perfect use case (deciphering unreadable code) into something a human being can better interpret. Not every analyst is going to be an expert in PowerShell, and deciphering intent from code is an even more challenging problem. Rather than trying to boil the ocean, let’s augment our analysts with that first step: understand the actions that a script is taking.
Let’s consider the following PowerShell script which simply downloads and runs an executable.
At first glance, this script is challenging to read. It doesn’t appear to be purposefully obfuscated, but the intent is not immediately evident. And it’s potentially unreadable by someone who isn’t well versed in PowerShell.
If we drop this into ChatGPT with a purposefully crafted prompt, we get the following response back:
Much easier! ChatGPT did an awesome job deciphering this script and any analyst should be able to understand the actions this script is taking! Now they can begin appropriate follow-on actions armed with more knowledge.
Turn it up to 11
Now, let’s take it one step further, using the same script but purposefully obfuscated:
This is entirely unreadable as it’s been Base64 encoded. An analyst is likely to understand that is has been encoded but will require extra steps to (first) decode it, (then) try to understand it. ChatGPT fortunately can do both at once!
The response indicates a pretty good (and similar) response to the original (decoded) request. It also INCREASED the confidence of malice, likely due to the fact that the script is encoded which often indicates a purposeful attempt to obfuscate the commands.
Closing and Next Steps
We can take this a step further and automate the analysis using Playbooks in Azure Sentinel. When an Incident is created in Sentinel which meets the criteria filters to identify a PowerShell script, we can execute a Logic App to interface with the analysis engine. Now, rather than an analyst dropping into the browser, they can just check the comments in the Incident!
Again, this process will not replace an analyst, nor does it feel ready to execute fully autonomously, without human oversight, but it can certainly HELP our analysts, reduce some complexity, and save time and money.
If you are interested in speaking with our experts about how to execute our intel-driven, threat-informed approach to a modern SOC, please reach out to firstname.lastname@example.org.