Skip to content

Latest commit

 

History

History
247 lines (183 loc) · 14.1 KB

File metadata and controls

247 lines (183 loc) · 14.1 KB

Process Monitoring

Detect malicious activity on endpoints and cloud services by analyzing running applications and transactions for suspicious behaviors. EDR, debuggers, and forensic capabilities may be utilized with the assistance of LLMs.

API and Database Query Analysis

Applications often rely on underlying databases or external API calls to function. Inspecting transaction logs, network captures, system logs, and debug logs can help detect tactics such as SQL injection and API abuse. As each application has different architecture and logging capabilities, LLMs can be useful for providing guidance for the specific environmental needs of network defenders.

You are a cybersecurity threat hunter and forensic analyst.
You are investigating <database queries, transactions, API calls, etc.> related to <specific application | SaaS>.

The following configuration and architecture is used:
[start]
<sanitized details regarding front end, back end, etc.>
[end]

You have access to the following tools and data:
[start]
<specific SIEM with logs, data sources>
<specific EDR solutions>
<specific debugger>
<SaaS specific telemetry>
...
[end]

Perform the following tasks:
1. Outline a strategy to detect <SQL injection, API abuse, database exploitation, etc.>
2. Highlight relevant EDR signals or OS or application logs.
3. Generate a query to detect malicious <API calls, database queries>.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to the use LLMs offered by your EDR or application vendor, if applicable, as they may be fine-tuned to help with monitoring specific applications for database exploitation behavior.
  • The more details you can provide about the application's architecture the better.
  • Adjust the prompts according to your needs. The needs of incident responders from a forensic perspective using EDR or interactive tools, often differ from the needs of SOC analysts from a threat hunting perspective using SIEMs and application logs.

Warning: Do not include sensitive log content in your prompts as there is the potential to leak confidential information.

File Access patterns

Monitor for abnormal file access activity made by processes and applications, as they can indicate malicious activity. Web server processes accessing password files and network file shares, for example, are symptoms of web shells. A single process writing hundreds of files within a short window of time may be an unauthorized wiper or a legitimate installer. Enabling filesystem tracing via OS filter drivers is often necessary for inspecting file access events (create, open, read, write, delete) for arbitrary processes. LLMs can help with analyzing file access patterns.

You are a cybersecurity threat hunter and forensic analyst.
You are investigating malicious file events activity related to <specific application on specific OS| SaaS>.

The following configuration and architecture is used:
[start]
<sanitized details regarding application config, functionality,  install path, etc.>
[end]

You have access to the following tools and data:
[start]
<specific SIEM with specific logs, data sources>
<specific EDR solution>
<specific debugger>
<SaaS specific telemetry>
<specific filter driver (e.g., Sysmon)>
...
[end]

Perform the following tasks:
1. Identify existing log sources and tools, strategies for logging file access events for the target process
2. Generate a query to detect malicious <creation, open, read, write, delete> file events for the target process using my security stack
3. Generate a query to detect a large number of file events for the target process within a short window of time using my security stack
4. Generate a query to detect a large number of different file access events for the target process using my security stack

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to the use LLMs offered by your EDR or application vendor, if applicable, as they may be fine-tuned to help with monitoring specific applications for file access behavior.
  • The more details you can provide about the application's architecture the better.
  • Adjust the prompts according to your needs. The needs of incident responders from a forensic perspective using EDR or interactive tools, often differ from the needs of SOC analysts from a threat hunting perspective using SIEMs and application logs.

Warning: Do not include sensitive log content in your prompts as there is the potential to leak confidential information.

Call Chain Analysis

At times it is necessary to use EDR signals or attach a debugger to a suspicious process and step-through execution to discern malicious stack call chain activity. The process and analysis involved is non-trivial and will vary depending on the EDR, debugger, disassembler, and target processes involved. Nevertheless, process call chain analysis can detect exploits, process injection, and defense evasion techniques. Consider LLM prompts to help you along the way.

You are a cybersecurity threat hunter and forensic analyst.
You are investigating stack call chains related to <specific application on specific OS>.


You have access to the following tools and data:
[start]
<specific SIEM with specific logs, data sources>
<specific EDR solution>
<specific debugger>
...
[end]

Perform the following tasks:
1. Identify existing log sources or EDR telemetry that can detect malicious stack call chain activity (stack tampering, buffer overflow, ROP chain, NOP sled, kernel-memory access, etc.)
2. Provide step-by-step instruction for attaching the debugger to the target process and stepping through execution.
3. Generate a query to detect suspicious stack call chains using my security stack

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to the use LLMs or AI integrations offered by your EDR, debugger, or application vendor, if applicable, as they may be fine-tuned to help with monitoring specific applications for malicious activity.

Warning: Do not include sensitive log content such as debugger memory contents in your prompts as there is the potential to leak confidential information.

Code Segment Verification

Attackers may exploit a legitimate process by allocating new or overwriting existing memory regions and injecting their code. Code Segment verification deals with enumerating executable process memory regions and comparing it to known-good behavior in terms of segments (number and location) and contents. The process is labor intensive and highly-tailored to the subject process and OS, system configuration. As a result, this sort of analysis is limited to expert forensic analysts. Some EDRs and Operating systems may perform some form of code segment verification as well, in limited and varied capacities.

You are a cybersecurity endpoint forensics analyst.
You are investigating the executable memory segments of <specific process> running on <specific OS, version> on a system with the following properties:
[start]
<system processor and memory specs>
<OS settings (e.g., ASLR)>
...
[end]

You have access to the following tools and data:
[start]
<specific EDR solution>
<specific debugger>
...
[end]

Perform the following tasks:
1. Identify relevant OS or EDR telemetry or features that can detect code segment manipulation.
2. Outline a relevant debugger strategy for listing and inspecting the executable memory regions of the target process.
3. Provide step-by-step instruction for computing hashes over specific memory regions and extracting content to a file.
4. Provide step-by-step instructions for listing and taking hashes over the segments of the original process' binary image file on disk.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to the use LLMs or AI integrations offered by your EDR, debugger, or application vendor, if applicable, as they may be fine-tuned to help with process memory analysis.

Warning: Do not include sensitive log content such as debugger memory contents in your prompts as there is the potential to leak confidential information.

Native API Call Analysis

It is useful to track the Native API system calls that processes make to underlying OS and kernel libraries, specifically paying attention to system calls and kernel functions abused for malicious techniques. Example functions include launching/suspending threads, allocating memory, attaching to processes, opening files, opening sockets, loading libraries, etc. This sort of analysis can detect behaviors such self-modifying processes and ones that do process injection. Fortunately EDRs and debuggers can be used to track sensitive native API calls. Consider the prompt below, which can help.

You are a cybersecurity endpoint forensics analyst.
You are investigating the  native API calls made by <specific process> running on <specific OS version>.

You have access to the following tools and data:
[start]
<specific EDR solution>
<specific debugger>
...
[end]

Perform the following tasks:
1. Identify relevant OS or EDR telemetry and features that can be used to gain visibility into native API calls commonly used for exploitation. 
2. Outline a relevant debugger strategy for identifying and hooking native API calls made by target process.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to the use LLMs or AI integrations offered by your EDR, debugger, or application vendor, if applicable, as they may be fine-tuned to help with process API call analysis.
  • If you used a disassembler to reverse engineer process binary files, you can also use LLMs to help an analyze import tables and identify native API calls that may be obfuscated via dynamic loading or computed function addresses

Warning: Do not include sensitive content such as debugger memory contents in your prompts as there is the potential to leak confidential information.

Process Spawn Analysis

Analyze process command line arguments and other useful context or running processes such as process parentage, file system image, current working directory, permission level, associated user, etc. Attackers frequently launch processes such as command shells from abnormal parent processes with high levels of privilege. Even legitimate binaries may sometimes be abused and discerned as malicious when execution context is considered.

You are a cybersecurity threat hunter and endpoint forensics analyst.
You are investigating the process spawn activity on hosts running <specific OSes>.

You have access to the following tools and data:
[start]
<specific SIEM with specific logs, data sources>
<specific EDR solution>
<process analysis tools such as Process Explorer>
[end]

Perform the following tasks:
1. Identify relevant OS or EDR telemetry, events, logs, and features that can be used to gain visibility into process spawn events.
2. Provide step-by-step instructions for enabling process spawn logging.
3. Create a relevant query to retrieve process spawn events for <specific process name>, displaying details including username, permission level, parent process, image path, and command line args.
4. Explain the command line arguments: <sanitized process command line>
5. Answer if the image path <path>, permission level <permission, ... typical for <process name> execution?

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to the use LLMs or AI integrations offered by your EDR solution and SIEM, if applicable, as they may be fine-tuned to help with process spawn analysis.
  • Work iteratively with your prompts, as there are many types of process spawn event types. The more specific you are, the better the inferences.

Warning: Do not include sensitive content such as raw process command lines args in your prompts as there is the potential to leak confidential information.

Script Execution Analysis

Use LLMs to detect and discern the functionality of malicious scripts. Prompts should provide context such as OS information and related process information such as command line args, if available.

You are a cybersecurity threat hunter and endpoint forensics analyst.
You are investigating unauthorize script execution on hosts running <specific OSes>.

You have access to the following tools and data:
[start]
<specific SIEM with specific logs, data sources>
<specific EDR solution>
<specific OS events pertaining to script execution>
[end]

Perform the following tasks:
1. Identify relevant OS or EDR telemetry, events, logs, and features that can be used to gain visibility into script execution.
2. Provide step-by-step instructions for enabling script execution logging and command line logging.
3. Create a relevant query to retrieve script execution events (<with specific keywords>), displaying details including script text contents 
4. Explain the functionality of the following script in 200 words or less: <script block>
5. Classify the script as malicious, benign, or unknown. 

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to the use LLMs or AI integrations offered by your EDR solution and SIEM, if applicable, as they may be fine-tuned to help with script analysis.
  • Work iteratively with your prompts. The more specific you are with the desired script analysis task, the better the inferences.

Warning: Scan script blocks for sensitive information before including them in prompts or RAG, as there is the potential to leak confidential information.


Back to Blue Team Tasks > Detect

Back to CyberPrompts Home