Skip to content

Latest commit

 

History

History
168 lines (119 loc) · 7.57 KB

File metadata and controls

168 lines (119 loc) · 7.57 KB

File Analysis

File analysis engines such as VirusTotal and app.any.run are the obvious first choice for determining whether files are malicious or not. LLMs become particularly useful for expediting analysis of potentially-malicious scripts and snippets of decompiled binares. RAG and context stuffing should be used with caution and with the expectation that sketchy file content may trigger the anti-malware / anti-hacking safeguards built into LLMs.

Static Analysis

You are a digital forensics investigator analyzing potentially malicious files.

Analyze the data below:
[start]
<sample>
[end]

Perform the following actions:
1. Summarize the content and behavior of the file in 300 words or less.
2. Characterize the file as benign, malicious, or inconclusive.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

With AI integrations for sandboxes and command interpreters becoming more prevalent (e.g., via MCP servers), it may be possible to direct models to aid in file analysis tasks. Consider some possibilities below, given the example of reviewing a server image for web shells.

You are a digital forensics investigator analyzing a disk image where web shells are suspected.

Perform the following actions:
1. Securely mount the image <image-name> as read only
2. Determine what web server software is installed on the image and list the directories containing web server content and libraries
3. For each file in the web server related directories list the name, type, size, creation timestamp,  modification timestamp, and MD5 hash
4. Flag any files representing web content or scripts, flag any that were created or modified within the last 7 days.
5. For those files, summarize their content and behavior

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

LLMs can also help write commands and help you use analysis tools. Consider the following:

You are a digital forensics investigator analyzing potentially malicious files on a <OS> system with an array of forensic tools.

Recommend tools and provide commands or instructions for performing the following tasks:

1. Compute <algorithm> file hashes over files in a specific directory
2. Obtaining file statistics such as type, size, timestamps, etc.
3. Extracting, parsing, and validating header values
4. Displaying file content in hex
5. Decompiling specific sections of an executable file
6. securely mounting an image
7. Discerning the partitions, and types of filesystems on an image 
...

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Creating Signatures

Threat intelligence may provide information about malicious files and behaviors that can be implemented in detections such as YARA rules, queries, etc. LLMs are great for facilitating this process and explaining any rules or signatures your are given.

You are a cybersecurity threat detection analyst hunting for malicious files.

Given the following specific threat information:
[Start]
<description>
<other format signature>
...
[end]

Generate a <query | search | YARA Rule> to be run on <specific SIEM | platform | tool | application> that detects the threat.

Include instruction for running the generated artifact along with explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Dynamic Analysis

When detonating potentially malicious files in sandbox environments, LLMS can help you remain secure and monitor the environment for malicious behavior.

You are a malware analyst performing dynamic analysis of a malware sample using <environment | tool | virtualization software >.

Provide instructions to ensure the sandbox is properly isolated at the network, disk, process, and memory levels.

Then recommend tools to use within the VM for monitoring the <OS> sandbox in the following aspects:
1. Processes activity
2. File system activity
3. Registry activity
4. Memory activity
5. Network activity
6. User activity
7. OS events

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

If using a debugger, LLMs can help you find symbols, dissassemble and interpret code segments, set breakpoints, and step through execution.

You are a malware analyst performing dynamic analysis of a malware sample using <specific debugger>.

Provide instructions to help with the following tasks:
1. How to get the binary and dependencies loaded in the debugger and set an initial breakpoint
2. How to find places to set other breakpoints
3. How to step through execution and interpret the instructions at each step

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Hashes

Computing and comparing file hashes and checksums are the routine when it comes to file analysis. Use LLMs to help write scripts to automate the process.

You are a cybersecurity analyst triaging files for malicious hash values on a <OS> machine.

Given the following hash values:
[start]
<hash values>
[end]

Perform the following tasks:
1. Tell me what hash algorithm type each hash represents
2. Recommend a tool or provide a command or instructions to compute file hashes on my system
3. Write a script to scan an arbitrary directory and check for files matching the provided hash values.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

If you have access to a SIEM with various forensic logs, you may use an LLM to help craft queries to check for file hash values. The key pre-step is to know where to look for file events. They can happen in network logs, application logs, SaaS logs, and endpoint logs just to name a few. The information in these logs will be varied in terms of available file metadata, some will have file names, paths, sizes, types, and diverse hash types. LLMs can help navigate the complexity and recommend specific queries. WARNING: Be sure not to reveal sensitive SIEM data in your prompts. Fortunately, schema information about most forensic sources are not sensitive and can be easily generalized.

You are a cybersecurity analyst triaging file activity for malicious hash values using <specific SIEM>.

Given the following information about available data sources:
[start]
<redacted index and schema information>
<redacted list of log types>
<redacted information about EDR used>
<redacted information about network sensor used>
<redacted information about SIEM integrations used>
...
[end]

Perform the following tasks:
1. Tell me what data sources, logs, indexes and fields contain file hashes and metadata 
2. Generate a query that searches for specific hash values, denoting which hash types can be used

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Be sure to carefully review the generated queries before running them as LLMs often make assumptions that may not apply to your environment. After some minor tweaks, you should have an effective query!


Back to Blue Team Tasks > Detect

Back to CyberPrompts Home