IOC Hunt Using Chronicle Detection

I'd make the argument that building out a custom detection for the specific IOCs you have in mind are reasonable to perform in google secops. You have the benefit of running retrohunts, ie rules against historical data as well and you can create reference lists that contain your hashes and exes to get at this data.

I'd point you toward some of the community rules that we have posted here to get a feel for what that kind of rule might look like https://github.com/chronicle/detection-rules/tree/main/community

If you want to learn more about reference lists, here is a basic string list https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Reference-List/ta-p/738238 there are also cidr and regex lists that can be used as well.

There are also a number of functions that could be used in addition to regex to potentially strip away values from a command line that you may consider performing prior to comparison to the list.

The best solution here is bypassing the need for EDR itself, e.g., use ChromeOS as a platform built with security as a primary focus from the ground up (like how Google itself works). However, I understand that switching operating systems might not always be feasible (or useful as an answer).

1. Is Chronicle effective for detecting EDR bypass with IOCs?

Yes, but with limitations. Chronicle SIEM excels at quickly scanning massive datasets for IOCs like hashes.  Chronicle SIEM includes Open Source intel from Mandiant, or if you have the Enterprise+ license includes full Google Threat Intelligence feeds.  You can also add in 3rd party IOC sources (MISP, Anomali, Recorded Future, etc...), or manually add IOCs as a custom log source.   This can be valuable for detecting known EDR bypass tools. However, attackers constantly evolve their techniques, and relying solely on IOCs could lead to missing some badness.

2. Is a hunting platform better?

Chronicle SIEM can be used as a hunting platform via either Rules Engine, UDM Search, or behavioural activity via Risk Analytics. It allows you to proactively search for suspicious behaviors and patterns that might indicate EDR bypass even without specific IOCs. It would be a decision for you and your team if you prefer Chronicle or your Threat Hunting platform (if not Chronicle SIEM).

It is hard to give any quantitative answer, but if you do have any further more specific answers please do feel free to follow up with those.

Both jstoner and cmmartin have excellent advice, I'd add that depending on what licensing you have for your SecOps (formerly Chronicle) there are already various Curated Detections available that look for some common EDR tampering behavior - agent disable, log clearing, realtime monitoring disable, service disable, and similar. These are found in rule packs like "Security Posture Downgrade" and "Mandiant Frontline Threats" so understanding what you might be able to use there could be a part of your strategy, in addition to .exe and hash IOC analysis.

Excellent thank you for confirming @jstoner 

I have been using most of your videos to build out our detections - they have been an incredibly helpful resource so please continue to make them. 

Thank you for weighing in here @cmmartin_google 

Yea IOC's becoming outdated so quickly is one of the reasons why I asked the question in the first place - If I create a reference list for the ones we have they will likely be obsolete within a year - maybe less. 

I'd love to switch to a more protected OS but you're right in that it's likely not feasible in our organization. 

Awesome! I wasn't aware of the specific content packs that already have EDR bypass in mind - thanks for additional context.