Search:

Chapter 1

Comae Platform

Getting Started

Step 1 - Register

To analyze dumps, an account must first be registered on the Comae platform. Each user must be registered under the same email as their Magnet Idea Lab email account.

Account creation

Comae Support sends an email requesting confirmation of the registered email address. If an email is not received in a reasonable amount of time, check the spam folder or simply add support@comae.com to your contacts or address book. Direct questions to support@magnetforensics.com and receive a prompt response.

Step 2 - Download DumpIt

Each user must download and install the Comae-Toolkit. Click on Download Comae Toolkit on the Dashboard.

Comae-Toolkit

Once clicked, a compressed (zip) file downloads to your machine.

  • After the download is complete, navigate to the folder where it resides (typically the Downloads folder) and extract the contents of the compressed file to the default location or one of your choosing.

A folder named Comae-Toolkit- is created with a license file, readme file and two folders containing executables for both x86, x64 and ARM64-based operating systems.

System Type information is located on Windows machines in Control Panel/System. Most modern Windows machines can run either type, however.

DumpIt is part of the Comae Toolkit which includes multiple memory related utilities.

Step 3 - Run DumpIt

Running the Comae DumpIt utility with the /Q (for quiet) option is used to automatically answer confirmation prompts, such as Proceed with the acquisition? [y/n], when running memory acquisition in a script.

New-ComaeDumpFile

Windows Scheduled Tasks can be setup to run the DumpIt program as a time-based utility and generate a historical record of machine activity. Doing so enables retro-hunting investigations.

Step 4 - Upload your image

The Comae platform manages the uploaded snapshots and the information contained within the files generated by DumpIt.

User can upload the following to the Comae platform:

  • Microsoft crash dump files (Full memory dumps generated by DumpIt or process dumps generated by administrative utilities such as Sysinternals Process Explorer or Microsoft Windows Task Manager.)
  • Dump files can be uncompressed (*.dmp) or compressed (Only .zip archives are supported)

Upload

Step 5 - Results

When your snapshot is finished uploading you will see it automatically processed in the “Latest Snapshots” section at the bottom.

Upload

Click on the snapshot in the bottom pane. This will take you to the results view where you can review Processes, Drivers, Syscalls, Objects, Registry and Callbacks within the memory snapshot.

Upload

Hunting with MemQueries

Having data is great, but the main question for any analyst or security researcher is often – how can I browse and query this data efficiently? As we move forward with a smooth user experience that allows us to get a bird’s eye view perspective on a system, we wanted to focus on operations and repeatable operations to selectively and swiftly be able to categorize images while investigating a case.

This is how we started working on SQL-like queries and actionable playbooks allowing us to assign MITRE ATT&CK tags to queries. Mapping events to MITRE aims at providing analysts with more visibility and clarity to results.

Playbooks

OS Credential Dumping (T1003.002)

Here is an example of playbook for OS Credential Dumping (T1003.002).

name = "OS Credential Dumping with mimikatz" 

[[query]] 
threat = "malicious" 
mitre = ["T1003.002"] 

sql_query="select processId, commandLine, imageFileName from `Processes/processObject` where imageFileName = 'mimikatz.exe'" 

Obfuscated Files or Information (T1027.002)

Here is another one for Obfuscated Files or Information (T1027.002) to identify uncommon sections:

name = "Uncommon section names" 

[[query]] 
threat = "suspicious" 
mitre = ["T1027.002"] 

sql_query="""select distinct p.processId, p.imageFileName, p.commandLine, s.name 
  from `Processes/processObject` 
  p left join `Processes/processObject.imageFileObject.sections` s 
  on p.identity=s.identity 
  where s.name not in 
  ('.text', '.data', '.rdata', (...), 'RT_DATA', 'RT_CONST') 
""" 

Process Injection (T1055.001)

And another one for Process Injection (T1055.001) by looking at allocated pages in processes.

name = "Executable memory pages" 

[[query]] 
threat = "malicious" 
mitre = ["T1055.011 "] 
sql_query=""" 
select distinct p.commandLine as commandLine 
  from `Processes/vadObject` as v  
  left join `Processes/processObject` as p  
  on v.identity=p.identity  
  where  v.isImage = true  and  v.protection = 'MM_EXECUTE_READWRITE' 
""" 

Indicator of Compromise

Hashes

Another way IOCs can be leveraged for threat hunting is to use the hashes of executable sections of binaries in memory, similarly to hashes of files on disk we can use queries to search of memory-based IOCs.

select distinct p.processId, p.imageFileName, p.commandLine, s.name from `Processes/processObject` p left join `Processes/processObject.imageFileObject.sections` s on p.identity=s.identity where s.rawMd5Hash='a371492f16c0940507435909603efe88'

Upload

Sigma

Leverage existing signatures such as Sigma to write memory queries!

Let’s take a look at Sigma signatures with the CommandLine keyword such as proc_creation_win_powershell_susp_parameter_variation.yml which aims at detecting suspicious PowerShell invocation with a parameter substring such as exec bypass which corresponds to Command and Scripting Interpreter: PowerShell (T1059.001) from the MITRE ATT&CK techniques.

Here is an example of query to detect the above behavior by querying keywords within the commandLine variable of processObject nodes.

select imageFileName, processId, commandLine from `Processes/processObject` where commandLine like '%exec bypass%'

Upload