Artificial Intelligence Agent to extract threat intelligence TTPs from feeds of malicious and benign event sources and automate threat hunting activities.
This project is a proof of concept using a knowledge-based approach at it's foundation. It organizes a core knowledge base and analysis capabilities around various attack techniques, examples, tooling, and heuristic recognition. Wayfinder uses various Machine Learning techniques based on the volume of data it has about a topic, allowing it to learn from a very small number of examples (e.g. 1 or more) to much more data (hundreds of thousands of examples).
- resources / parsed.zip: The pre-processed data used by the agent was derived from >3 months of Hybrid Analysis public feed logs. A pre-processed version of these is included.
- resources / proc_chain_summary.csv: Process chains learned by the agent after 3 months of data was analyzed.
- resources / attack_lolbas_mapping.csv: Pre-requisite work done to map MITRE ATT&CK to LOLBAS and vice versa. This data was folded into the ontology used by the agent.
- resources / presentations: presentation material that more fully explains this project
- Incorporate more knowledge into the ontology and enable the agent to recognize more objects like registry keys, important file paths, automate de-obfuscation steps, and gather more information about tool command line arguments and what they mean.
- Add another dimension of feature analysis based on the newly recognized objects.
Windows Native Tool References: