When attackers breach a network, they don’t just grab the first data they find and shut down their attack, content with having broken through defenses and made an illicit gain. Instead, they get busy, even if they pause now and then to avoid detection. They usually move “laterally,” exploring the network to discover what systems and services you have in place, and search for more vulnerabilities and assets to steal or compromise.

As part of this lateral movement, they run processes on Windows endpoints. Many of these processes use PowerShell, a Windows command-line-executor and scripting language designed to automate routine tasks for administrators. Since Microsoft released PowerShell 6.0 as an open source project in 2016, malicious use of PowerShell has skyrocketed. PowerShell malware grew 432 percent between 2016 and 2017, according to McAfee Labs. Today if a network is under attack, PowerShell activities may be a primary line of attack.

Fortunately, organizations have a line of defense, even if initially it seems precariously narrow. When attackers use PowerShell or other types of Windows processes, the processes they create are logged in in Windows process creation logs. In a typical enterprise, millions of these log entries are likely being generated and collected daily. The high volume of these entries makes it difficult to identify the log entries tied to suspicious or outright malicious events.

Windows processes turn out to be another critical challenge for security analysts and Security Operations Centers (SOCs). Attackers are on the move, creating or deleting files, changing file permissions, downloading malware, creating accounts and performing other nefarious activities. These activities are being logged. But culling through these enormous log files for indications of attacks can be time-consuming, and time is something that SOC teams never have enough of.

Fortunately, security automation leveraging machine learning can help.

Introducing the LogicHub Windows Process Creation Events Playbook

LogicHub has refined and automated hundreds of threat hunting detection patterns and techniques and mapped them to the MITRE ATT&CK framework, a public knowledge base of adversary tactics and techniques that MITRE has compiled based on real-world observations. Using MITRE’s detailed descriptions of recent attacks using Windows processes and PowerShell malware, LogicHub has created an executable playbook for detecting and stopping security attacks. The playbook runs on the LogicHub SOAR+ platform, the only security automation platform that surpasses traditional Security Orchestration and Automated Response (SOAR) capabilities by automating threat hunting, alert triage, and incident response.

Major capabilities in this pre-built playbook include:

  • Process Chain MonitoringThe playbook racks process execution logs to identify “process chains” to track the sequence of process executions, then uses a machine learning algorithm to compare against known good and known bad behavior (including “Living Off the Land Binaries” [aka “LOLBins”]: built-in Windows commands that are often used by attackers and malicious code) to predict whether a particular chain is likely to be malicious.
  • Automated PowerShell Command TriageDe-obfuscates and analyzes PowerShell commands, factoring in hundreds of patterns and a machine learning classifier trained on your organizations data.

The LogicHub Windows Process Creation Events playbook identifies suspicious and malicious events with the accuracy of an experienced threat hunting team, but with the speed and convenience of AI-powered automated analysis. The playbook shortcuts the need for months of detection content development and tuning by automatically sorting through the noise of benign events to pick out the clear signals of incipient or active attacks. SOCs can have the playbook up and running after just a few hours, immediately improving their ability to detect threats and defend against attacks.

The Windows Process Creation Events Playbook is just one of many playbooks available on the LogicHub Security Automation platform. LogicHub customers can also build custom playbooks to meet their own security requirements.

The LogicHub platform is the only security automation platform that delivers autonomous detection and response for security analysts. By applying machine learning and analytics on vast sets of event data, LogicHub automates security analyst workflows and decisions, helping teams save time, find critical threats, and eliminate false positives. LogicHub also provides a full explanation of the scoring logic to help security analysts review and validate results.

To learn more about the LogicHub Windows Process Creation Events Playbook, read our use case or contact a LogicHub sales representative.


Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More