tietze.io

Analyzing OPTICS detections with CyShell

You can use CyShell to analyze OPTICS detections for commonalities from a command line prompt.

You start by connecting to your console, and then analyzing detection rule frequency. This will identify how often each rule has triggered:

Invoke-CylanceDetectionRuleAnalysis | ft

Rule frequency

Then you look at the artifacts for detections:

$a = Invoke-CylanceArtifactAnalysis
$a | ft

This will result in output similar to the below:

Id                                   RuleName                                     RuleVersion NumberOfBuckets NumberOfDetections NumberOfDevices BucketWithHighestNumberOfHits Buckets
--                                   --------                                     ----------- --------------- ------------------ --------------- ----------------------------- -------
xxxxxxxx-993e-4ddc-b26e-b27f0c56929a One-Liner ML Module                                                   69                217               4                           217 {217, 217, 217, 137...}
xxxxxxxx-69b0-45da-8351-886ceffed2a4 Hidden Powershell Execution                                           43                 66               6                            66 {66, 64, 64, 54...}
xxxxxxxx-46e0-49e5-abbd-975484b03903 System Network Connections Discovery (MITRE)                          51                 43               4                            43 {43, 41, 41, 26...}
xxxxxxxx-d645-4aa6-bb5c-36314b467b75 InstallUtil (MITRE)                                                   36                 42               7                            42 {42, 42, 42, 36...}
xxxxxxxx-8393-428d-ad64-341cff1627a5 Hosts File Modified                                                   10                 28               3                            28 {28, 28, 28, 28...}
xxxxxxxx-c0a9-4d9f-8ef9-2ac7a71be291 System Service Discovery (MITRE)                                      13                 18               1                            18 {18, 18, 18, 18...}
xxxxxxxx-b3c1-4fd6-aca9-4d0d5f1fdfb6 Unsigned Application Network Beaconing                                54                 14               3                             9 {9, 9, 4, 4...}
xxxxxxxx-d0d9-48f5-b15e-94b02f186e9d Process Without Common Executable Extension                           81                 13               6                            11 {11, 11, 11, 10...}
xxxxxxxx-fcb4-481b-99d3-81eff9b6ab84 Oversized Image File                                                  20                 10               1                            10 {10, 10, 10, 10...}
xxxxxxxx-46b1-4832-be78-57c0f7bd21bb Office Application Startup (MITRE)                                    13                  8               2                             8 {8, 6, 4, 4...}
xxxxxxxx-b4f5-484f-9a30-eaff733a1cd3 Scheduled Task Persistence (MITRE)                                    31                  3               3                             3 {3, 2, 2, 2...}
xxxxxxxx-d5b5-498c-bced-0962b08b7f97 Office DDE to Script Interpreter (MITRE)                              12                  1               1                             1 {1, 1, 1, 1...}
xxxxxxxx-0b5f-4d22-a80d-8a008d72f851 SVCHost Suspicious Parent                                              6                  1               1                             1 {1, 1, 1, 1...}
xxxxxxxx-1831-4713-bfb3-276763925837 Internet Browser With Suspicious Parent                               12                  1               1                             1 {1, 1, 1, 1...}

Grouping detections by artifact

Then look at e.g. the first entry’s details interactively:

$a[0].Buckets | Out-GridView

This will open a view that shows you hits, allocated to buckets (groupings of detections that share similar artifacts, e.g. the same destination IP address and instigating process, etc.), sorted by frequency. You can programmatically operate on the buckets, e.g. show all buckets that contain wget:

$a.Buckets | 
    where key -like "*wget*" | 
    Select-Object -ExpandProperty members |
    Select-Object -ExpandProperty detection | 
    Sort-Object -unique

Programmatically updating detections

If you wanted to automatically delete these, just add | Remove-CylanceDetection; if you wanted to update the status and add a comment, add | Update-CylanceDetection -Status Reviewed -Comment "This was discovered programmatically from PowerShell, and we have blacklisted the IP in the firewall." etc.