Full Report
Everyone is talking about LLMs finding zero days. That is not the only story. The story is what happens when you point these models at the defensive tools organizations depend on for first line defense. AI is changing…
Analysis Summary
# Tool/Technique: LLM-Assisted Defensive Product Reverse Engineering
## Overview
This technique involves leveraging Large Language Models (LLMs) to systematically map, summarize, and reverse engineer defensive security products (EDR, AV, and network appliances). By feeding defensive logic, binary exports, and configuration files into LLMs, attackers can rapidly identify blind spots and bypasses within the security stack that were previously protected by "security through obscurity."
## Technical Details
- **Type**: Technique (Adversarial Research/Reverse Engineering)
- **Platform**: Cross-platform (Windows EDRs, Linux security tools, Cloud security appliances)
- **Capabilities**:
- Automated mapping of defensive hooks and kernel callbacks.
- Summarization of complex defensive logic into human-readable format.
- Cross-version comparison to identify changes in detection signatures.
- Accelerated bypass development for EDR/AV solutions.
- **First Seen**: Blog published May 2024 (conceptualized as an emerging threat).
## MITRE ATT&CK Mapping
- **[TA0043 - Reconnaissance]**
- [T1592 - Gather Victim Host Information]
- **[TA0005 - Defense Evasion]**
- [T1562 - Impair Defenses]
- [T1562.001 - Disable or Modify Tools]
- **[TA0007 - Discovery]**
- [T1518.001 - Security Software Discovery]
## Functionality
### Core Capabilities
- **Timeline Compression**: Reduces the time required to understand a defensive product's internal logic from weeks to days.
- **Artifact Analysis**: Analyzes files obtained from "opaque" sources (university sites, VT submissions, misconfigured S3 buckets) to determine how a specific EDR monitors processes.
- **Workflow Automation**: Automates the tedious parts of reverse engineering, such as labeling functions and identifying known API call patterns within defensive binaries.
### Advanced Features
- **Prompt-Based Reversing**: Using specialized prompts (e.g., "EDR Large Prompt") to direct the LLM to identify specific detection logic or "blind spots" in a product’s telemetry.
- **Comparative Analysis**: Identifying differences between versions of a defensive tool to pinpoint exactly what new malicious behaviors a vendor is attempting to catch.
## Indicators of Compromise
*Note: As this is a research technique, traditional IOCs like file hashes are less relevant than behavioral indicators of the research phase.*
- **File Names**: `EDR_Skill_Gist.md`, `EDR_Prompt.txt`.
- **Behavioral Indicators**:
- Unexplained acquisition of internal EDR binaries/drivers.
- High-volume interaction with LLM APIs containing proprietary code or decompiled snippets of security software.
- Repeated testing of "edge case" payloads against specific EDR versions in isolated labs.
## Associated Threat Actors
- Research-oriented red teams.
- Sophisticated state-sponsored actors (APTs) looking to minimize "noise" during operations.
- Cybercriminal groups developing "custom" bypasses for RaaS (Ransomware-as-a-Service).
## Detection Methods
- **Behavioral Detection**: Monitor for unusual access to security agent binaries and drivers (e.g., attempts to copy EDR drivers to non-standard locations for offline analysis).
- **Network Metadata**: Monitor for uploads of sensitive internal binary artifacts to public LLM platforms or web-based analysis tools.
- **Internal Auditing**: Use "honey-configurations" or unique versions of security tools to identify if an attacker has prior knowledge of the internal logic of your specific stack.
## Mitigation Strategies
- **Assumed Breach Architecture**: Shift from "Opaque Defense" to a model where security assumes the attacker knows the defensive logic.
- **Defense in Depth**: Implement layers that do not depend on opaque logic, such as host hardening, SIEM correlation, and identity-based detection.
- **Access Control**: Tighten controls around the distribution of security agent installers and internal documentation.
- **Hardening**: Prioritize infrastructure hardening over "black box" detection tools that can be easily mapped by an LLM.
## Related Tools/Techniques
- **Ghidra/IDA Pro**: LLMs are currently used as plugins for these traditional tools to explain decompiled code.
- **Security Through Obscurity**: The fundamental concept being undermined by this technique.
- **Autonomous Bug Hunting**: A related field where LLMs find zero-days in software; this technique applies that same logic to the defensive tools themselves.