Tutorials, How-To's and information about BIRT
Endpoint Evidence Panel
The evidence tab is broken up into three sections: the query + preview section, process tree hierarchy and evidence index. The first tab is where the evidence query is crafted. By default, all process groups from all discovered power state cycles are selected and displayed. The Micro-Technique Engine tracks and infers power state cycles and when an evidence branch is registered it’s assigned to one of many process groups. A process group is a recognizable source for the event(s) in question, e.g. children of C:\windows\explore.exe (that is also a child of C:\windows\system32\userinit.exe) are placed into the Windows GUI process group for that instance of explore.exe. Grouping evidence in this way also groups together similar and related behaviors and is an integral part of an effective filtering strategy.
The most significant Process and Event Groups are:
Event logs, MFT and Registry files are very verbose. Typically, an investigator is interested in a narrower time range, however it’s always a possibility that interesting activity happened before or after the event(s) that brought them to this point. BIRT gives you the capability of easily pruning the output of the Micro-Technique Engine by deselecting power state cycles and even process groups that might not be interesting or in-scope to the investigation. When these are toggled the process tree hierarchy and evidence index are rebuilt in real-time to dynamically generate evidence and related contextual events.
The top row of the query panel has score range limit selector dropdowns, select all process groups, deselect all process groups and a reload all data button. The next row contains a button to the simplified evidence collection panel, Micro-Technique Engine statistics and the View dropdown. Views are filters created from the Micro-Technique rule base that only show events that are related to the MT’s included in the view. An example is the Command Interpreters view, which only shows events and evidence related to cmd.exe, powershell.exe (and derivatives), bash, sh, etc. By default, there is one for each Tactic and they give the investigator another way to split the dataset during analysis.
Evidence Query Configuration Panel
The evidence summary is a quick way to recon the selected process groups. It does have some internal limits on amount of returned data, like the process hierarchy tree diagram so it’s not intended to be authoritative for very complex evidence graphs.
Evidence Summary Panel
The last item of note on the query panel is the Add Evidence panel. When selected it will query all the events and evidence present in the selected process group(s). The user can then prune events with the index to the left or selecting/deselecting events in the main panel. The MITRE evidence to the right will adjust based on the selected events. Pressing the confirm button will merge those events with the currently selected investigation.
Add Evidence Panel
The process group tree diagram is generated as groups are de/selected. This view is intended to give another angle on evidence that contains EDR/XDR process behavior data. When events are part of the investigation, they will have a green border and when a process is clicked the events and evidence panel will slide out giving the user the ability to add the node/branch to the investigation or analyze the evidence. The diagram can be adjusted with the controls at the top and power state cycles can be selected on the right-side list.
Process Group Tree Diagram
The endpoint timeline is a queryable data structure that represents the events in time-logical order. It is composed of a slice of the timeline events on the left side and the index slice on the right. The index slice displays the cardinality (count) of the unique values for each key. Each value is indexed up to 1024 bytes, any queries beyond that will still match, but only the first 1024 bytes of the query will be matched against the first 1024 bytes of the value. In the abbreviated example below, the structure of an event is displayed. Each key’s value is compared against the previous values and if a duplicate is discovered, the count is increased.
Example Process Create Event
{
"node_id": "ev-8320f18b2b9a5ead9300000000000500",
"parent_node_id": "ev-8320f18b2b7b5ead6200000000000500",
"pid": 3076,
"ppid": 4468,
"logon_id": "0x3e7",
"integrity": "System",
"user": "NT AUTHORITY\\SYSTEM",
"session": 0,
"image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"filename": "powershell.exe",
"md5": "CDA48FC75952AD12D99E526D0B6BF70A",
"sha1": "36C5D12033B2EAF251BAE61C00690FFB17FDDC87",
"sha256": "908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53",
"imphash": "A7CEFACDDA74B13CD330390769752481",
"parent_image": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"parent_filename": "WmiPrvSE.exe",
"parent_command": "C:\\windows\\system32\\wbem\\wmiprvse.exe",
"command": "powershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHk...E0AUwA=",
"utc": 1588407194.758,
"orig_event": { },
"os_string": "WINDOWS",
"endpoint_hostname": "UTICA.dmevals.local",
"event_type": "proc",
"exit_utc": 4294967294,
"endpoint_id": "70582555974831895",
"source_file": "UTICA.dmevals.local.json",
"event_type_class": "edr",
"uid": -1,
"auid": -1,
"extension": "exe"
}
The events can be ordered ascending/descending on their UTC timestamps, or the 4 or 8 timestamps provided by the file system abstractions (Windows $MFT and Image File Entries). Index queries can be generated by clicking on a value under its key or using the value’s dropdown for a more specific query. Queries can also be manually entered above the query breadcrumb bar or copy/pasted on the right end.
Index Viewer Detail
The index keys and values reflect the normalized event keys and a count of each unique value present in the events that make up the index. When the index is compiled, this index is built. A cardinality index is an effective tool for finding anomalies and analyzing datasets of this size and type.
Index Slice Keys and Values
The event slice can be sorted by timestamp(s) and there is also a toggle for full vs compact event display in the slice panel.
The index slice has hot keys for expanding, closing and resetting the index key’s state e.g. open/closed/sort asc/desc/etc. The keys and values can also be sorted in two or more ways.
Event and Index Slice Option Menus
Index values can be queried and added to the active index query, the Attribute - Operator - Value query will display in the bar and the query will be executed. The default is a LIKE query. Clicking the dropdown expands a menu of operators that is type-aware, so integers/floats will also allow gt/lt operators, amongst others.
Index Value Query Shortcut
Event rows or cards have an actions dropdown menu that displays the available ways to utilize the data in the event. The dropdown menu is broken down into several sections:
Timeline Event Actions
Carving through large datasets to find the proverbial needle in the haystack usually entails looking at a lot of hay. In addition to carving the event stream by keys and values, the query string filter can be used to filter events and highlight/filter the displayed event keys. The following example demonstrates a string filter for “ScriptBlockText” with the event card expanded, this is useful for analyzing Powershell events.
Filter on Event Keys
Another useful analysis pattern is to use the much smaller Evidence timeline to generate queries for the endpoint timeline. Oftentimes malicious activity can be narrowed down to a smaller time range. Using the Evidence index viewer, the analyst can set a narrow time range with the time picker or the Actions -> Timeline query and make any adjustments, as necessary. That index query should now appear in the Query History and can be selected in the endpoint Timeline index viewer, giving a unabridged view into the endpoint during that time period.
Narrow Time Range Analysis
Many of the artifacts BIRT recognizes are parsed into events that have parent/child relationships:
Under the event Action menu there is a section labelled Hierarchy where an analyst can walk the relationships with queries up or down the tree by parent node or child nodes. For example, if I’m interested in a certain process and its activities, I can select “Focus on Node Children” and the query will return the child processes, file/registry/network/etc actions for that process.
During analysis and investigator might make adjustments to Micro-Technique rules or modify the Investigation indicator strings or regexes. The Execute button in the upper right-hand corner can be used to manually run the engine. This locks the index for all users and shows a progress bar at the top of the Data Stores panel, as well as on the System Activity tab.
This will delete and rebuild the evidence graphs and the Evidence tab will repopulate when the process has been completed. Th
Execute MTE
Events from the endpoint timeline or evidence can be analyzed by an LLM from the menu found in the Actions dropdown. The API prompt is adaptive, and in the case of labelled evidence, it will gather contextual information to enrich the analysis, with more enhancements coming with every update. Better results have been observed with higher parameter count models.
LLM Evidence Analysis