Skip to content

Latest commit

 

History

History
287 lines (209 loc) · 18.1 KB

File metadata and controls

287 lines (209 loc) · 18.1 KB

Platform Monitoring

Detect malicious activity on endpoints, hosts, SaaS solutions, and cloud services by using the various OS events, hardware configurations, activity logs, and telemetry source at your disposal with the assistance of LLMs.

File Integrity Monitoring

Detect changes to sensitive files using cryptographic hashes and file system activity monitoring. Commercial solutions exist, but DIY solutions using OS features and open-source endpoint monitoring software is possible as well. (Alternatively, consider read-only write protection and strict folder permissions as preventative measures that reduce the need for monitoring.) LLMs can help shape file integrity monitoring policies and solutions to meet your needs.

You are a cybersecurity engineer seeking to establish file integrity monitoring of sensitive files.

The files you wish to protect reside on <specific OS | network | platform | cloud service | filesystem info | ... >.

You have the following relevant tools and capabilities in your environment:
[start]
<EDR>
<endpoint monitoring agent>
<DLP>
<SIEM with specific datasources, indices>
...
[end]

Outline a strategy, solutions for detecting changes to the sensitive files in my environment. Specifically detect unauthorized <file creation | modification | deletion | access>.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Firmware Integrity Monitoring

Use LLMs to help navigate how to discern your device's firmware details and detect any unauthorized modifications to your firmware's integrity. The capabilities for firmware integrity checking vary from platform to platform. The firmware introspection capabilities of network edge devices, IoT, OT sensors, and other embedded systems, for example, are often different in nature to that of the firmware integrity monitoring capabilities of mobile devices, commodity server and workstation devices, and cloud instances (which may not even offer such capabilities). In the most basic case, firmware images are hashed and checked against known-good values. In more advanced cases, devices check the memory regions and content of firmware-related processes and handlers in memory. With the prompt below, you can take advantage of the firmware integrity capabilities of your devices.

You are a cybersecurity engineer seeking to verify the integrity of the firmware of <specific device, model | system | platform >.

Perform the following tasks:
1. Identify applicable firmware integrity verification features.
2. Provide step-by-step instructions for obtaining firmware information.
3. Provide step-by-step instructions for detecting firmware modifications.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Configuration and Operating Mode Monitoring

Various platforms can be in various modes of operation at any given time - with some modes more secure than others.

  • OT devices have modes such as program, run, stop, and remote.
  • Mobile devices can be carrier-joined or 'jailbroken.'
  • Endpoints can be domain-joined, hybrid, or standalone.
  • Cloud resources can reside in different regions and be active or dormant
  • VMs can be stopped, off, on, paused, etc.
  • Backup solutions and EDR agents can be on, off, or otherwise impaired.
  • Network Edge devices can be in configuration mode or run mode

Discerning these various modes and changes to modes and configurations can be useful from a threat detection perspective as adversaries will surreptitiously change victim platform modes to achieve their objectives. Use LLMs to help navigate the variation and complexity.

You are a cybersecurity engineer seeking to detect configuration and operating mode changes on a <specific device, model | system | platform >.

Perform the following tasks:
1. Identify possible operating modes
2. Provide step-by-step instructions for obtaining configuration and operating mode information
3. Provide step-by-step instructions for detecting configuration and operating mode changes

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Endpoint Health Beacon

With many endpoint devices covered by EDR solutions or managed as part of a fleet under endpoint management solutions such as Intune and Jamf Pro, there is opportunity for defenders to monitor the presence, configuration, and security posture of user devices as part of routine security checks. The sudden failure of endpoints to check-in, along with unauthorized configuration changes (e.g., hostname, version numbers, installed software, addreses, etc.), can indicate malicious activity. Use LLMs to help craft queries, analytics, visualizations, and detection rules to alert defenders to such cases.

You are a cybersecurity network and endpoints administrator.
You are interested in monitoring the health and configuration of network and host devices from a security perspective.

You have the following tools and data at your disposal:
[start]
<SIEM with logs, indices, datasources>
<endpoint management solution>
<configuration management solutions>
...
[end]

Perform the following tasks:
1. Outline a method to track endpoint check-ins, creating awareness if devices fail to report in
2. Outline a method to detect configuration changes 

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Peripheral Device Monitoring

Defenders should check endpoints for unauthorized hardware insertions such as USB devices, serial devices, network cards, etc. These input/output devices can pose backdoors, unauthorized egress points and network bridges, and exfil pathways.

You are a cybersecurity network and endpoints administrator.
You are interested in monitoring endpoints for unauthorized hardware additions.

You have the following tools and data at your disposal:
[start]
<SIEM with logs, indices, datasources>
<endpoint management solution>
<specific endpoint devices, vendor, model and version>
...
[end]

Perform the following tasks:
1. Identify solutions for listing an endpoint's hardware devices.
2. Outline a solution for detecting new hardware additions.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Memory Analysis

Inspecting the memory regions of endpoint devices for malicious artifacts and behaviors is non-trivial. Depending on the type of device you're investigating, the tools and approaches vary widely. Nonetheless, memory analysis is fruitful for forensic analysts for finding malware and studying exploits. LLMs can help navigate the complexity of the solution space, whether you are using the telemetry and capability of an EDR system, using an interactive debugger, or using the built-in capabilities of a network edge device.

You are a cybersecurity endpoint forensics analyst.
You are analyzing the memory of a <specific device make, model, version>.
The device is running <OS information>.
The device is suspected of <specific malware infection, victim software exploitation, other malicious activity>.

You have the following tools and data at your disposal:
[start]
<SIEM with logs, indices, datasources>
<specific EDR solution>
<specific debugger>
...
[end]

Perform the following tasks:
1. Identify solutions for analyzing the devices memory, including available tools, commands,  telemetry, etc.
2. Provide step-by-step instructions for listing memory regions
3. Provide step-by-step instructions for viewing content of a specific memory region

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tip: Be sure to the use LLM offered by your EDR vendor, if applicable, as it may be acquainted with relevant memory analysis signals and telemetry and features which can be configured when necessary.

Warning: Be careful about including sensitive information in prompts. For example, it is unadvisable to take the memory register contents or call stack from a debugger and paste it verbatim into a prompt, expecting the model to be able to interpret the content for you. The risk for hallucination will be high, not to mention credentials and secrets may be leaked.

Scheduled Jobs Analysis

Attackers maintain persistence and gain execution within victim environments by abusing scheduled tasks and jobs. The implementation varies across operating systems but the approach remains the same. The difficulty for defenders in detecting abuse of scheduled jobs is discerning the malicious jobs among the legitimate ones. LLMs can help defenders better use their EDRs and similar solutions from a threat hunting perspective, and perform manual review when necessary from an incident response forensics perspective.

You are a cybersecurity threat hunter and endpoint forensics analyst.
You are investigating the abuse of scheduled jobs across systems running <specific OS + version info>.

You have the following tools and data at your disposal:
[start]
<SIEM with logs, indices, datasources>
<specific EDR solution>
<ability to run commands on subject device>
[end]

Perform the following tasks:
1. Identify all types of scheduled jobs possible on the identified system.
2. Identify relevant <EDR solutions/telemetry, filesystem artifacts, logs, registry keys, process events, OS events> for detecting scheduled job activity including creation, deletion, modification, etc.
3. Provide step-by-step instructions for enabling scheduled job event logging.
4. Create a query, search, or command to query scheduled job events.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to the use LLM offered by your EDR vendor, if applicable, as it may be acquainted with relevant scheduled job signals and telemetry and features which can be configured when necessary.
  • Use an iterative approach. There are many approaches and solutions for scheduled job analysis. If the model gives you several options, follow-up with specific prompts for solutions your prefer executing in order to get finer grained inferences.

Warning: Be careful about including sensitive information in prompts. For example, it is unadvisable to paste the contents of a scheduled task definition verbatim into a prompt as secret such as creds and system info may be leaked in command line arguments.

System Daemon Monitoring

Privileged system services (aka daemons) running on an Operating system can be abused by attackers for execution, persistence, and impact. System-level processes can be stopped, launched, re-configured and restarted etc. Thus it is wise for defenders to be able to detect when system services are manipulated. LLMs can provide specific guidance when prompted with relevant information about the tools and systems that defenders are working with.

You are a cybersecurity threat hunter and endpoint forensics analyst.
You are investigating malicious activity involving system services and daemons.
You are specifically investigating systems running <specific OS + version info>.

You have the following tools and data at your disposal:
[start]
<SIEM with logs, indices, datasources>
<specific EDR solution>
<ability to run commands on subject device>
[end]

Perform the following tasks:
1. Identify relevant <EDR solutions/telemetry, configuration files, logs, registry keys, process events, OS events> for detecting system daemon activity including start, stop, restart, configuration modification, etc.
2. Create a <query, search, command> to <list, detect> system daemon events

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to the use LLM offered by your EDR vendor, if applicable, as it may be acquainted with relevant System daemon signals and telemetry and features which can be configured when necessary.
  • Use an iterative approach. There are many approaches and solutions for system daemon analysis. If the model gives you several options, follow-up with specific prompts for solutions your prefer executing in order to get finer grained inferences.
  • Adjust the prompts according to your needs. The needs of incident responders from a forensic perspective using EDR or interactive command line tools, often differ from the needs of SOC analysts from a threat hunting perspective using SIEMs and logs.

Warning: Be careful about including sensitive information in prompts. For example, it is unadvisable to paste the contents of a system daemon config files into prompts as secrets such as creds and system info may be leaked in execution parameters.

Operating System Files Analysis

Attackers often modify OS-level files and registry settings to enable and sustain their malicious activities. For example, attackers may install new or replace existing binaries or modify configuration files within specific OS directories to gain execution within the context of legitimate OS-level processes. Alternatively, critical OS artifacts may be deleted or wiped to impair systems. Defenders can use LLMs to identify OS-specific files and directories worth monitoring. Also use File Analysis prompts in the context of OS files and directories.

You are a cybersecurity threat hunter and endpoint forensics analyst.
You are investigating malicious activity involving critical OS system files and directories.
You are specifically investigating systems running <specific OS + version info>.

You have the following tools and data at your disposal:
[start]
<SIEM with logs, indices, datasources>
<specific EDR solution>
<ability to run commands on subject device>
[end]

Perform the following tasks:
1. Identify commonly abused  OS files, directories, and registry keys for the systems under investigation
2. Identify and features, settings, or log events that need to be enable to detect OS file tampering.
3. Create a <query, search, command> to detect <creation, deletion, modification> of <specific files, keys, values, contents, directory paths>.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to the use LLM offered by your EDR vendor, if applicable, as it may be acquainted with relevant OS tampering signals and telemetry and features which can be configured when necessary.
  • Use an iterative approach. There are many approaches and places to look for OS file tampering. If the model gives you several options, follow-up with specific prompts for things you are interested in to get finer-grained inferences.
  • Adjust the prompts according to your needs. The needs of incident responders from a forensic perspective using EDR or interactive command line tools, often differ from the needs of SOC analysts from a threat hunting perspective using SIEMs and logs.

Warning: Be careful about including sensitive information in prompts. For example, it is unadvisable to paste the contents of a OS files and registry keys into prompts as secrets may be leaked.

As there are plenty of legitimate circumstances for OS files to be manipulated (e.g., updates, legit administrator activity, etc.), the challenge for defenders is discerning the malicious events from the legitimate ones. LLMs can also help characterize the legitimacy of your observations.

Is it normal of <specific OS file, artifact> to be <created, deleted, modified, etc.> by <specific user, process, other contextual information>? 
What is the purpose of <specific OS artifact> and how is it used?

Initialization Configuration Analysis

Autoruns, Startup tasks, user command shell profiles, and other system initialization processes are abused by attackers to gain persistence. The implementations vary across operating systems and LLMs can lead you to specifics for your relevant systems.

You are a cybersecurity threat hunter and endpoint forensics analyst.
You are investigating malicious autoruns, startup tasks, command shell profiles, and other system initialization configurations across systems running <specific OS + version info>.

You have the following tools and data at your disposal:
[start]
<SIEM with logs, indices, datasources>
<specific EDR solution>
<ability to run commands on subject device>
[end]

Perform the following tasks:
1. Identify all types of initialization persistence mechanisms on the identified system.
2. Identify relevant <EDR solutions/telemetry, filesystem artifacts, logs, registry keys, process events, OS events> for discerning initialization activity including creation, deletion, modification, etc.
3. Provide step-by-step instructions for listing configured system initialization jobs.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to the use LLM offered by your EDR vendor, if applicable, as it may be acquainted with relevant autoruns and startup task signals and telemetry and features which can be configured when necessary.
  • Use an iterative approach. There are many approaches and solutions for system initialization task analysis. If the model gives you several options, follow-up with specific prompts for solutions your prefer executing in order to get finer grained inferences.
  • Adjust the prompts according to your needs. The needs of incident responders from a forensic perspective using EDR or interactive command line tools, often differ from the needs of SOC analysts from a threat hunting perspective using SIEMs and logs.

Warning: Be careful about including confidential startup information in your prompts as it may reveal operational sensitivities about your environment.


Back to Blue Team Tasks > Detect

Back to CyberPrompts Home