GregLeah

[Music] everyone uh my name's Greg Leah and this is Chad for security analysts uh so quick outline for the talk I'll give a quick intro which I'm sure everyone is familiar with at this point uh I'll do a brief overview of some of the ways that this tool can be applied to cybercity investigations and then I'll walk through world exles the first one's using open source adversary emulation framework and then using a live M sample uh so first a quick disclaimer uh I'm an analyst and security researcher I'm not a data scientist uh we're not going to go into the theory behind the technology at all uh we're particularly talking about applications of this Tech

uh I'll also say I don't work in ethics or policy uh so this discussed at all uh so quickly a bit about me um again my name is Greg Leah I'm the founder and CEO and Technical architect at Precision SEC we are a startup based in Victoria British Columbia and we provide threat intelligence and threat hunting Services um my background is in Mar analysis engineering and threat intelligence with about uh 15 years in the industry okay so motivation for this talk um this was motivated by a number of conversations I had where um you know it seemed like everyone had heard of the tool but not everyone had actually played around with it which surprised me

um and even fewer people are actually uh familiar with how powerful it is uh so just quick show of hands how many people have actually signed up with open Ai and tested out chat GPD so almost everyone how many people have actually tried using it in a cyber security context okay half for 60% cool okay cool yeah I'd love to hear how everyone's using it later um hopefully you get a couple of new ideas out of this talk okay so just a quick intro again it looks like everyone's familiar with this tool but um it was created by open Ai and released in December 22 there are free and paid tiers the latest version is version four uh it has a

conversational interface you can kind of go back and forth like any chat-based uh protocol um and there's API access if you want to integrate it into your uh into your

application have released uh couple of updates in the last few weeks so I did have to update uh my presentation a bit um yeah so a couple of the big ones here that are relevant to this talk so previously we had a length limit of input we could put into the system and so we can only analyze smaller code samples or we would have to actually chunk the samples or put them into a text file and then upload the text file uh so this newest version uh has increased the input length limits significantly which makes some code analysis tasks much easier uh they've added the browse with Bing function so also previously if you asked it a

question it would say sorry my training data only goes till 2021 I can only give you answers up till that point uh this allows it to kind of uh query the web and give you a bit more upto-date data and real-time responses um they've added some additional security uh and I'll talk about that especially around Mal Mal analysis and uh displaying or executing ious code and I'll talk a bit bit more about that um yeah there's still struggling with long processing times at times so like I would love to sit up here and you know do a live demo but sometimes it can really stutter and take a while to give you your answer um and yeah they uh they also

introduced a token based system for payments so uh previously you know you pay $20 for a premium subscription now I believe and I haven't played around with this because I am a A plus subscriber but uh you can buy tokens and use that uh to to pay for your your service cool okay so relevant updates to this talk uh are really the uh data analysis and the d e module uh they've they've created bunch of new modules you know from like so dolles and image uh creation tool data analysis for is for uh analyzing data and visualizing it uh they've done a whole bunch of other random ones like laundry buddies find out how to take leather stains out of

your white shirts um tech support advisor they have like a mocktail Creator so you can create cool cocktails for your uh alcohol-free party um and lots of other ones and they've also uh added the ability to create custom GP s uh which I'll talk about a bit later uh okay and this is the security uh thing that I mentioned a second ago so they've added like strict ethical guidelines around malicious or harm code so I was trying to get it analyze in preparation for this talk and it gives me this you know you know I'm programmed fall there's a possibility that this deated code represents something malicious or harmful I won't be able to execute or reveal it

we'll see um okay so I did play around with Dolly a little bit and I wanted to add this at the beginning because this was just released the other day and so obviously the first thing I did was hacker wearing black hoodie crouched over a keyboard um and I think it did a pretty good job it's a pretty cool photo question dolly is a module so there's there's chat gbt and then they've added a bunch of different uh purpose-based modules and this is their image creation module so now you can just say give me a hacker wear keboard and it'll create for you so you can really create images I created for anything you to do I have a couple

examples later sorry I believe it's a plus uh subscription required cool moving on okay again I'm sure everyone's familiar with this this is the basic interface of Chad GPT um I believe they removed the message cap on GPT 4 this screenshot was taken a while ago um but note the um you know it may produce in inaccurate information uh this is absolutely uh something to be aware of when using this tool um and even in preparation for this talk um I've had it give me some correct answers and I've even had had to go as far as like I know that's wrong so I'm like are you sure about this and it'll actually double down on the wrong answer so you

got to be aware of that if using this um anything else I wanted to see here yeah that's good for that slide okay so this is a basic chat for chat gbt this is uh the type of task that it excels at um write a 20- minute presentation on how security analysts can use chat to streamline workflows um you will notice this is not actually the outline for this talk but uh we could have used it um moving on so we'll move on to security applications so these are kind of the main areas where I've found the tool to be helpful uh and this is definitely not an exhaustive list but we'll dig into some

of these today so the first is analysis tasks it's good at code analysis and explaining code uh which is helpful for reverse engineering live malware uh threat is quite good at extracting ioc's from hostile code or from uh thread intelligence reports so if you give it you know like a paragraph out of a Intel report that had some domains and IPS in it it'll and just say hey give me the IPS or the ioc's from this it will pull those out oh and so anyone for and sorry about the acronym ioc is indicator of compromise it's kind of a standard term in cyber threat intelligence uh threat hunting so it's actually quite good at uh generating

basic detection rules for threat hunting uh so we'll talk a bit more about this uh kql is the custo query language used for Microsoft Sentinel uh Sigma we'll talk about and Yura we'll also talk about later and then uh generating codes this is one of the real strengths this Tool uh code prototyping Automation and scripting uh for tasks like you know generating uh yeah generating St code or writing regular Expressions that type of thing okay so for the example workflow we're gonna use rc2 adversary emulation framework uh so I'll just kind of quickly go through a couple slides on how I set this up uh this is basically used for P pen testers when red teaming and for post

exploitation and lateral movement uh the reason I chose this is I didn't want to use live M and I wanted to be able to control parameters such commanding control so we could see if it actually accurately us the correct data okay so a little more about P C2 it's an open source C2 framework used for adversary emulation written in Python uh it's meant to simulate real world attack scenarios where there's been a breach and attacker is using it to move laterally around your network uh it's quite easy to conf this is the other reason I use it it's quite easy to configure and it generates a variety of payloads um okay so just quickly the

installation and configur when you install this the only thing you really need to do is uh the payload comos and that's going to be your command and control server uh I recommend you install this on Cali Linux it's a bit of a pain to set up elsewhere um once you set the config you just or sorry you run Posh config in order to set this up and you yeah set the payload conss host and that will contain a list of the uh command and control you want to Beacon out to too there's a number of other options you can set actually I think I talked about these here yeah so uh in addition you can use domain fronting you can

customize the user agent based on your environment uh there's a number of other options you can use you know such as Jitter socks proxy uh that type of stuff but those are not really relevant to this talk I did want to point this out when you do when you set up a poc2 server uh it uses these default values for the SSL certific kit and these actually cannot be uh configured using Posh config tool you actually have to manually edit these and I'll show you why if you're using this in a real world uh pen testing scenario uh I'll show you why this is important so uh for anyone not familiar this it scans in fingerprint

Services uh that are running on Internet connected machines and so this is one where you can see it's given us a fake for this is a parh C2 uh server that was live at the time of this uh screenshot and you can see those SSL certificate parameters are the same as were uh shown in the config file on the previous slide so this is super easy to search for on showen so if you're use this in a real world World engagement make sure you change those yeah it's yeah there's a lot of people looking for these cool okay so implant build so when we run the server using POS server it just automatic creates all the payloads

uh creates a project folder and uh yeah all the other of the Box payloads puts it in your project and gives you basic instruction so again this is why I picked this this tool generates all the payloads nice and easily we can easily then we can start just copying those into chat GPT and playing around I think it builds about 155 different payloads uh you know your windows Shell Code your python uh Powershell pretty much everything your batch file everything you need cool um yeah so we're going to focus on the python implant for the next uh few slides the reason uh and again the reason I did this is because it's actually quite small so this is to get

around the length limits of previous versions of chat GPT uh with the newest release we can actually uh analyze significantly larger payloads um yeah so this is the this is the p implant you can see it does some basic importing python libraries and then justs this giant basic base 64

in

on the

SAU

yeah so this is the analysis of that code so standard here so P 10 directory download the auto theable from this point

so

it's also quite easy to reverse can't um okay so not sure if everyone on Twitter make it their information on twittered

to

so

here's so this one summary what so it's pulled them out

prur the file name so

can Okay so let's move on to the data and I was really hoping that I could exle to show f using the data analysis module it's typically meant for like uploading spreadsheets and pring together data to make nice graphs and stuff but I was really hoping because small data analysis I was

unsuccess

exract the and identify any so it tried it gave this and then it sorry you know I need this computer um drop down here in the are analyzing if I drop that down it exposes this Python and that was the code that it had generated on the fly in order to analyze this so while was UN to go so yes that's data

analysis and moving on to Dolly this is just kind of a fun one this one so I wanted to try to that chain that Al out so

want so the results were interesting this [Music] there's a lot going on

here

yeah itating infection chart that actually gave you two two verion

graph right

yeah good good stu okay moving [Music] on this is

this is these are

CS for specific so I guess you can make tailored versions things and I think you know so a bunch of people have made this I

didn't excuse

actually been 50 or 60 curated one that been released seems like everyone on this um so this one myau my interest on F pass on the other day this is a Specialized gbt or so not sure folks read that hope before but yeah so I just was like okay let's find out about randomy so obviously CH it's pretty well Russ Bas asking a basic question what are

the he giv me know fishal

Haring at least gives you I think

only but I haven't seen

query I want to compare this

question the exact question and the answers are PR close you know that there's can't really say too much about that

resarch this [Music] Guyer so this very but there's uh yeah there's a t of these question out there

any okay so let's WP up um I did want to leave a good amount of time for questions yeah so in the first part you know in in about four minutes of using a tool less time than it took to present this research we're able to analyze extract R detection prototype Hing tool

and schol can significantly improve the efficiency of cyber security

and that's that's my talk like I I want to leave a lot of time for questions um I hope it's helpful I'd love to hear great of ways that other people are using this tool feel free to add me on Twitter or L and want to talk about pring or print intelligence you're welcome to visit the website or

we do have thank

you so I haven't question has ever

lost that is no in terms of push back definitely double down I know that you're sorry

then

don't

I think that's a bit of a FAL question I said we weren't going to talk about appc

can

yeah that's that's that's an implementation yeah I think I think it comes down to

policy

the

wrong like I've seen where like someone like hey tell me about this reverse engineering tool or give me top 10 reverse engineering tools like eight of them were real and two of them completely and then they went on and said okay tell me about and these are guys know they're tell me about this big one it's it's by this company you know

here and

yeah

[Music]

no I I think it's really almost never gets it right on but if you could be like hey I want this table

and pretty close to where you need to be

that's

I I barely use that that example but that's that's an interesting

malicious like I see there's a replace motion actually so I saw the sh ex like just tell me what this oh it looks like it's his Str like what strength and then like well it's like it's you know replace function like okay emulate the replace function So eventually after you know it's

not you have to have some

knowledge

yeah would only be able to give you this answer if to our

yeah I not

the not try that again you want

[Music] you varable is

[Music] water

[Music] thank