Search:

Chapter 1

Create playbooks

Detections

The memory queries in Comae platform enable detections to ask specific question to a single or multiple memory snapshots.

Comae platform comes with pre-built rules which we are using in this section as example to demonstrate how this feature can be leveraged.

Queries can be written in two different ways:

  • SQL-like
  • GraphQL

You can learn more and find more examples of playbooks and queries on our GitHub playbook repository.

Get Started

Examples

FieldDescription
nameName for the playbook. Displayed in the UI.
descriptionShort summary of what this playbook does.
authorInformation related to the author. Useful for sharing.
referencesRelated links or references to learn more about a threat or technique addressed by the playbook.
dateCreation date.
modifiedLast modified date.
tagsGeneric tags. (Ignored)
queryThis can be an array of queries. Usually used as a single one.
query.threatValue can either be malicious or suspicious
query.mitreCorresponding MITRE ATT&CK tag. This is used by the UI for the threat mapping visualization.
query.sqlYou can have either SQL or GQL queries. SQL has priority over GQL.
query.gqlYou can have either SQL or GQL queries. SQL has priority over GQL.
name = "Process Injection (T1055)"

description = "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges."
author = "Matt Suiche (@msuiche), Radovan Stevanovic"

references = [
  "https://attack.mitre.org/techniques/T1055/012/"
]
date = 2022-08-20
modified = 2022-08-23

tags = ["attack.privilege_escalation"]

[[query]]
threat = "malicious"
mitre = ["T1055.011"]
sql="""
select distinct p.processId as PID, p.parentProcessId as PPID,  p.imageFileName as processName, p.commandLine as commandLine, v.startingVpn as startingVpn
  from `Processes/vadObject` as v
  left join `Processes/processObject` as p
  on v.identity=p.identity
  where  v.isImage = true  and  v.protection = 'MM_EXECUTE_READWRITE'
"""

# gql="""
# vadObject(query: {
#    isImage: {is:true},
#    protection:{ is:EXECUTE_READWRITE}
#  }) {
#    processObject {
#      processId
#      commandLine
#      parentProcessId
#      processName
#    }
#    startingVpn
#  }
# """

Unusual Parent-Child Relationship

Inspired by Elastic prebuilt rule reference, you can write you own query to identify Windows programs run from unexpected parent processes.

Unexpected parent processes often happens in scenarios involving process escalation (TA0004).

Query

SQL

select distinct p.processId , p.processName , p.parentProcessName , p.parentProcessId  from `Processes/processObject` as p 
  where (p.parentProcessName NOT IN ('System','smss.exe')  and p.processName = 'smss.exe') 
    or (p.parentProcessName NOT IN ('smss.exe','svchost.exe')  and p.processName = 'csrss.exe') 
    or (p.parentProcessName NOT IN ('smss.exe')  and p.processName = 'wininit.exe') 
    or (p.parentProcessName NOT IN ('smss.exe')  and p.processName = 'winlogon.exe') 
    or (p.parentProcessName NOT IN ('wininit.exe')  and p.processName = 'lsass.exe') 
    or (p.parentProcessName NOT IN ('winlogon.exe','wininit.exe')  and p.processName = 'LogonUI.exe') 
    or (p.parentProcessName NOT IN ('wininit.exe')  and p.processName = 'services.exe') 
    or (p.parentProcessName NOT IN ('services.exe','MsMpEng.exe')  and p.processName = 'svchost.exe') 
    or (p.parentProcessName NOT IN ('services.exe','MsMpEng.exe')  and p.processName = 'spoolsv.exe') 
    or (p.parentProcessName NOT IN ('services.exe','svchost.exe')  and p.processName = 'taskhost.exe') 
    or (p.parentProcessName NOT IN ('services.exe','svchost.exe')  and p.processName = 'taskhostw.exe') 
    or (p.parentProcessName NOT IN ('dwm.exe','winlogon.exe')  and p.processName = 'userinit.exe')
limit 50 offset 0

GraphQL

   processObject(query: [
    {
      processName: { is: "smss.exe" },
      parentProcessName: { notIn: ["System", "smss.exe"] }
    },
    {
      processName: { is: "csrss.exe" },
      parentProcessName: { notIn: ["smss.exe", "svchost.exe"] }
    },
    {
      processName: { is: "wininit.exe" },
      parentProcessName: { notIn: ["smss.exe"] }
    },
    {
      processName: { is: "winlogon.exe" },
      parentProcessName: { notIn: ["smss.exe"] }
    },
    {
      processName: { is: "lsass.exe" },
      parentProcessName: { notIn: ["wininit.exe"] }
    },
    {
      processName: { is: "LogonUI.exe" },
      parentProcessName: { notIn: ["winlogon.exe", "wininit.exe"] }
    },
    {
      processName: { is: "services.exe" },
      parentProcessName: { notIn: ["wininit.exe"] }
    },
    {
      processName: { is: "svchost.exe" },
      parentProcessName: { notIn: ["services.exe", "MsMpEng.exe"] }
    },
    {
      processName: { is: "spoolsv.exe" },
      parentProcessName: { notIn: ["services.exe", "MsMpEng.exe"] }
    },
    {
      processName: { is: "taskhost.exe" },
      parentProcessName: { notIn: ["services.exe", "svchost.exe"] }
    },
    {
      processName: { is: "taskhostw.exe" },
      parentProcessName: { notIn: ["services.exe", "svchost.exe"] }
    },
    {
      processName: { is: "userinit.exe" },
      parentProcessName: { notIn: ["dwm.exe", "winlogon.exe"] }
    },
  ]) {
    processId
    processName
    parentProcessName
    parentProcessId
  }

MITRE ATT&CK Mapping

Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Unexpected parent processes often happens in scenarios involving process escalation (TA0004).

Query

SQL

select distinct p.processId as PID, p.parentProcessId as PPID,  p.imageFileName as processName, p.commandLine as commandLine, v.startingVpn as startingVpn
  from `Processes/vadObject` as v
  left join `Processes/processObject` as p
  on v.identity=p.identity
  where  v.isImage = true  and  v.protection = 'MM_EXECUTE_READWRITE'

GraphQL

 vadObject(query: {
    isImage: {is:true},
    protection:{ is:EXECUTE_READWRITE}
  }) {
    processObject {
      processId
      commandLine
      parentProcessId
      processName
    }
    startingVpn
  }

MITRE ATT&CK Mapping

Scheduled Task/Job

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.

The presence of scheduled tasks often happens in scenarios involving persistence (TA0003).

Query

SQL

select distinct t.path, t.user, t.command, t.description, t.author, t.hash , t.parameters 
 from `Machine.scheduledTasksInfo` as t
 where (t.command like '%AppData\Roaming%')

GQL

  scheduledTasks(query: { command: { includes: "AppData\\Roaming" }}) {
    path
    user
    command
    description
    author
    hash
    parameters
  }

MITRE ATT&CK Mapping