Detecting Intrusions Stemming from MSFT Co-Pilot in Windows 11

Living-off-the-land binaries (LOLBins) refer to legitimate executables pre-installed with the operating system, like powershell.exe and certutil.exe, exploited by attackers for sophisticated fileless attacks. These attacks, leveraging LOLBins, are often undetectable and pose challenges for detection, incident response, and threat hunting. Microsoft Copilot’s integration as a default tool in Windows 11 adds complexity to the threat landscape. This project aims to extract novel atomic indicators from incidents involving attacks utilizing Microsoft Copilot, contributing to threat intelligence. The extracted IOCs play a crucial role in enhancing security awareness without increasing the complexity of threat detection. This project can be divided into five steps: Data Collection, build a model for automated IOC extraction, testing and evaluation, fine-tuning and deployment and reporting and presentation. The initial stages focus on collection of data and identifying actionable intelligence by coordinating with the threat intelligence team. This data can be used to train, test, and deploy the developed automated IOC extraction model. On successful deployment of the model, it can be integrated with the Threat Intelligence feed to use the actionable intelligence in threat detection and incident response.

Faculty Supervisor:

Ali Dehghantanha

Student:

Partner:

eSentire

Discipline:

Computer science

Sector:

Cyber Security; Information and Communications Technology; Technology

University:

University of Guelph

Program: