When attackers breach a network, they don’t just grab the first data they find and shut down their attack, content with having broken through defenses and made an illicit gain. Instead, they get busy, even if they pause now and then to avoid detection. They usually move “laterally,” exploring the network to discover what systems and services you have in place, and search for more vulnerabilities and assets to steal or compromise.

As part of this lateral movement, they run processes on Windows endpoints. Many of these processes use PowerShell, a Windows command-line-executor and scripting language designed to automate routine tasks for administrators. Since Microsoft released PowerShell 6.0 as an open source project in 2016, malicious use of PowerShell has skyrocketed. PowerShell malware grew 432 percent between 2016 and 2017, according to McAfee Labs. Today if a network is under attack, PowerShell activities may be a primary line of attack.

Fortunately, organizations have a line of defense, even if initially it seems precariously narrow. When attackers use PowerShell or other types of Windows processes, the processes they create are logged in in Windows process creation logs. In a typical enterprise, millions of these log entries are likely being generated and collected daily. The high volume of these entries makes it difficult to identify the log entries tied to suspicious or outright malicious events.

Windows processes turn out to be another critical challenge for security analysts and Security Operations Centers (SOCs). Attackers are on the move, creating or deleting files, changing file permissions, downloading malware, creating accounts and performing other nefarious activities. These activities are being logged. But culling through these enormous log files for indications of attacks can be time-consuming, and time is something that SOC teams never have enough of.

Fortunately, security automation leveraging machine learning can help.

Introducing the LogicHub Windows Process Creation Events Playbook

LogicHub has refined and automated hundreds of threat hunting detection patterns and techniques and mapped them to the MITRE ATT&CK framework, a public knowledge base of adversary tactics and techniques that MITRE has compiled based on real-world observations. Using MITRE’s detailed descriptions of recent attacks using Windows processes and PowerShell malware, LogicHub has created an executable playbook for detecting and stopping security attacks. The playbook runs on the LogicHub SOAR+ platform, the only security automation platform that surpasses traditional Security Orchestration and Automated Response (SOAR) capabilities by automating threat hunting, alert triage, and incident response.

Major capabilities in this pre-built playbook include:

  • Process Chain MonitoringThe playbook racks process execution logs to identify “process chains” to track the sequence of process executions, then uses a machine learning algorithm to compare against known good and known bad behavior (including “Living Off the Land Binaries” [aka “LOLBins”]: built-in Windows commands that are often used by attackers and malicious code) to predict whether a particular chain is likely to be malicious.
  • Automated PowerShell Command TriageDe-obfuscates and analyzes PowerShell commands, factoring in hundreds of patterns and a machine learning classifier trained on your organizations data.

The LogicHub Windows Process Creation Events playbook identifies suspicious and malicious events with the accuracy of an experienced threat hunting team, but with the speed and convenience of AI-powered automated analysis. The playbook shortcuts the need for months of detection content development and tuning by automatically sorting through the noise of benign events to pick out the clear signals of incipient or active attacks. SOCs can have the playbook up and running after just a few hours, immediately improving their ability to detect threats and defend against attacks.

The Windows Process Creation Events Playbook is just one of many playbooks available on the LogicHub Security Automation platform. LogicHub customers can also build custom playbooks to meet their own security requirements.

The LogicHub platform is the only security automation platform that delivers autonomous detection and response for security analysts. By applying machine learning and analytics on vast sets of event data, LogicHub automates security analyst workflows and decisions, helping teams save time, find critical threats, and eliminate false positives. LogicHub also provides a full explanation of the scoring logic to help security analysts review and validate results.

To learn more about the LogicHub Windows Process Creation Events Playbook, read our use case or contact a LogicHub sales representative.

Blog

Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More