Accelerating IR with Generative AI
Last updated
Last updated
AI offers a great chance for analysts to speed up incident response and lower key metrics like Mean Time to Resolution (MTTR). Even if your organization restricts AI, it's important for analysts to stay aware of both the positive and negative uses of AI technology.
This module covers four examples where ChatGPT helped speed up incident response and shows how AI tools can make the process faster.
IOC: Sysadmin identifies unauthorized local user brok3n on Windows system. Calls IR team.
Analysis: Live system analysis reveals several files in %LOCALAPPDATA% \Temp.
Analysis: One zipped file includes C# source code excerpts.
An incident response team was called to investigate a Windows 10 compromise after a system admin found an unauthorized user named "brok3n." During the investigation, they discovered files in the %LOCALAPPDATA%\Temp folder, including a zip file with C# program source code.
Reviewing an attacker's source code can help identify other compromised systems. However, not all incident responders know every programming language attackers use. This is where AI, like ChatGPT, can help by summarizing the code for us.
We gave ChatGPT some source code from the compromised system and asked it to explain what the C# code does when run on Windows, and to determine if it's malicious or harmless.
For this query, ChatGPT returned a correct assessment of the C# source code, explaining in plain language what the C# source code does. This is a very powerful tool for analysts, allowing us to take source code in nearly any programming language and generate an explanation of what the source code does.
IOC: Helpdesk escalates alert that WordPress server keeps crashing after server restart.
IOC: Sysadmin notes 100% CPU from Linux httpd process (Apache) across all server cores.
IOC: Log analysis reveals frequent requests for /wp- includes/FkhDUPZ.php.
The incident response team was called after several signs of a problem. The first sign was users reporting that a WordPress server was down. Restarting the server fixed it temporarily, but users continued to call back with the same issue.
The Linux WordPress server's CPU is maxed out, mostly due to the Apache httpd process. The system admin checked the web server logs and found many requests for a suspicious page, /wp-includes/FkhDUPZ.php
, which shouldn't be there. The incident response team then gathered logs and files, finding that the FkhDUPZ.php file had heavily-obfuscated code.
ChatGPT can both explain and deobfuscate code. In this case, we asked it to act as an incident response analyst and to decode obfuscated PHP code, using clear markers and extra context (PHP, Linux web server) to guide its analysis.
In the next paragraph, we ask ChatGPT to simplify the code and give a brief 3-sentence summary of what it does. We also want a detailed breakdown and a rewritten version of the code that’s easier to understand.
IOC: Windows 10 zero-day led to credential dumping and lateral movement
Analysis: AppLocker logs indicate safe listing bypass by renaming Mimikatz to osk.exe.
Scoping: Need to identify all hosts in domain that have run osk.exe.
The incident response team was called to handle a compromised Windows 10 system. They discovered a zero-day exploit that led to credential theft and movement across the network. Logs showed that the attackers bypassed Windows AppLocker by renaming the Mimikatz tool to osk.exe to avoid detection.
The incident response team should use the new IoC (attacker runs osk.exe) on all Windows 10 systems to find other breaches. A PowerShell script is ideal for this task, as it can use PowerShell remoting to check AppLocker logs for all executed programs.
We can ask ChatGPT to write code for this task using simple language:
Write a PowerShell script to read from a text file containing host names or IP addresses, one per line. For each host, use PowerShell remoting to interrogate the Windows Event Log for AppLocker, looking for any log messages that include the string osk. Make the script output a list of hosts where the search string is present in the AppLocker event log.
Path to hosts.txt
: Update C:\path\to\hosts.txt
to the actual path where your text file with hostnames/IP addresses is located.
Output File Path: Update C:\path\to\output.txt
to the desired path for your output file.
Permissions: Ensure you have the necessary permissions to use PowerShell remoting and query the Windows Event Log on the remote hosts.
PowerShell Remoting: Make sure PowerShell remoting is enabled on the remote hosts. You may need to adjust the execution policy and configure TrustedHosts if dealing with a non-domain environment.
This script will check each host for the presence of the string osk
in AppLocker logs and output the hosts that contain this string to a specified file and also to the console.
The PowerShell script isn't very complex and could be improved for performance, but it works as needed. ChatGPT provided a script that met the incident response team's requirements, helping them effectively scope their Windows systems.