LogicHub is continuously developing new threat detection and threat hunting content categorized by and mapped to the MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations and maintained by the MITRE Corporation.
Windows Process Creation Monitoring
After an adversary has compromised a system in your network, they will move laterally—that is, they will explore the network to discover what systems and services you have in place, and search for more vulnerabilities and assets to steal or compromise. As part of this lateral movement, they will run processes on Windows endpoints, and these processes will be logged in Windows process creation logs. Millions of these logs are likely already being generated and collected. Suspicious and malicious events can easily be missed in the noise of normal activity.
LogicHub has refined and automated hundreds of threat hunting detection patterns and techniques and mapped them to the MITRE ATT&CK framework. Major capabilities in this pre-built playbook include:
- Analyzing process execution logs to identify “process chains” to track the sequence of process executions, then using machine learning to compare this activity against models for known good and known bad behavior to predict whether a process chain is likely to be malicious.
- De-obfuscating and analyzing PowerShell commands, factoring in hundreds of patterns and a machine learning classifier trained on your organizations data.
The playbook shortcuts the need for months of detection content development and tuning by automatically tuning out most noise present in the deployed environment.
Proxy Beacon Detection
A popular use case with LogicHub customers is automating threat hunting to detect beacons used with Command and Control (C2) programs, which attackers use for orchestrating attacks. LogicHub accelerates detailed analysis of web proxy logs to detect proxy beacons, even when they use newer techniques for obfuscation.
Manual threat hunting for beacons is a time-consuming, even quixotic undertaking. Web proxy logs are voluminous, and it takes time to identify the anomalous patterns that indicate the potential presence of a beacon.
LogicHub’s automated analysis dramatically reduces the “noise” in proxy logs, making it easier to focus on suspicious log entries. LogicHub also applies mathematical analysis to identify traffic patterns associated with beacons. This analysis includes detecting patterns of purposeful jitter designed to make beacons seem less regular than they really are.
By applying the power of LogicHub’s automatic threat detection, security analysts can more quickly and accurately discover beacons being used in active attacks. Once discovered, these beacons can be shut down and the attack interrupted.
Customers Tell Our Story Best
SOAR+ is the product of customer feedback. LogicHub would not be here if it wasn’t for our customers and our community of thought leaders that help us every day make our platform the best it can be. We could not ask for more loyal and generous community.