Following my recent LinkedIn post about Predator, an AI-powered proof-of-concept malware I developed, I wanted to share my observations from testing it against two SIEM solutions - the ELK Stack and Wazuh - set up in my cyber range and home SOC lab. This post is part 1 of the series, focusing on Predator vs ELK Stack.

Here's an instance of Predator masqueraded as an invoice.pdf file using the Right-To-Left-Override (RTLO) and homoglyph techniques, copied onto a Windows Server 2019. This server has the ELK Stack and Wazuh agents installed, as well as the Sysmon tool for enhanced monitoring.

Notice the executable filename which appears to end with .pdf, but in reality it's an executable file. This technique is designed to fool potential victims into thinking they are opening a harmless PDF file, such as an invoice. The use of the Right-to-Left Override (RTLO) character allows the true file extension .exe to be disguised, while displaying a seemingly benign extension .pdf at the end of the filename.

With everything set up and ready to go, I double-clicked on the invoice.pdf, and Predator started to run. Note that Defender is running on this server, and Predator went undetected. Since this malware is designed to simulate an attack and train junior analysts on threat detection and hunting, Predator outputs its status and actions. However, a threat actor would run the malware in stealth mode, leaving nothing visible to the victim who clicked on the file.

Predator, while running, retrieves a decryption key from somewhere on the Internet and uses it to decrypt the contents of the configuration file and the predefined prompt. It then communicates with the AI to get back the malicious payload, which in this case is a reverse shell to a channel on my Discord server. It's worth noting that the AI code or malicious payload sent sometimes contains errors or bugs; Predator is able to check this and request new capability code until it validates that it can execute it. In the following image, you can see a snippet of the code returned by the AI and the denoted RAT > indicating that the reverse shell should be established and ready to receive commands from the Discord server.

From the Discord side, you can see Predator reporting that it's ready to receive commands. You then see me sending some commands, and finally, I send the exit command. At this point, Predator terminates, and the mission is completed.

Now, Predator was able to bypass Microsoft Defender. Let's first see what the ELK Stack SIEM detected, if anything.

Interesting, so from the preceding image, it shows that Elastic did not generate any alerts for the time period that Predator was executed and establishing a C2 communication.

I checked the security rules and I do have some rules installed and enabled, especially for Potential Reverse Shell and activity.

This is a good example as to why us cybersecurity professionals need to conduct this type of test to see what our SIEM is capable of detecting and what is not. Now my mission is to do some threat hunting and to confirm that the ELK Stack is indeed receiving the logs from the agents.

From the preceding image, I do confirm that the logs are being ingested to Elastic and I do see the Predator’s activities such as network communication and command executions.

For this case, I am tasked with further investigation and, based on these events, enabling any existing rules that may be able to detect Predator activity. Alternatively, I may need to conduct research and create custom threat detection rules. I'll address this in a future post. To wrap up here, in part 2, we will examine whether Wazuh, with its default rules enabled, is able to detect Predator. Stay tuned for my next post. Cheers!