Step 1 - Register
To analyze dumps, an account must first be registered on the Comae platform. Each user must be registered under the same email as their Magnet Idea Lab email account.
Comae Support sends an email requesting confirmation of the registered email address. If an email is not received in a reasonable amount of time, check the spam folder or simply add firstname.lastname@example.org to your contacts or address book. Direct questions to email@example.com and receive a prompt response.
Step 2 - Download DumpIt
Each user must download and install the Comae-Toolkit. Click on Download Comae Toolkit on the Dashboard.
Once clicked, a compressed (zip) file downloads to your machine.
- After the download is complete, navigate to the folder where it resides (typically the Downloads folder) and extract the contents of the compressed file to the default location or one of your choosing.
A folder named Comae-Toolkit- is created with a license file, readme file and two folders containing executables for both x86, x64 and ARM64-based operating systems.
System Type information is located on Windows machines in Control Panel/System. Most modern Windows machines can run either type, however.
DumpIt is part of the Comae Toolkit which includes multiple memory related utilities.
Step 3 - Run DumpIt
Running the Comae DumpIt utility with the /Q (for quiet) option is used to automatically answer confirmation prompts, such as Proceed with the acquisition? [y/n], when running memory acquisition in a script.
Windows Scheduled Tasks can be setup to run the DumpIt program as a time-based utility and generate a historical record of machine activity. Doing so enables retro-hunting investigations.
Step 4 - Upload your image
The Comae platform manages the uploaded snapshots and the information contained within the files generated by DumpIt.
User can upload the following to the Comae platform:
- Microsoft crash dump files (Full memory dumps generated by DumpIt or process dumps generated by administrative utilities such as Sysinternals Process Explorer or Microsoft Windows Task Manager.)
- Dump files can be uncompressed (*.dmp) or compressed (Only .zip archives are supported)
Step 5 - Results
When your snapshot is finished uploading you will see it automatically processed in the “Latest Snapshots” section at the bottom.
Click on the snapshot in the bottom pane. This will take you to the results view where you can review Processes, Drivers, Syscalls, Objects, Registry and Callbacks within the memory snapshot.
Hunting with MemQueries
Having data is great, but the main question for any analyst or security researcher is often – how can I browse and query this data efficiently? As we move forward with a smooth user experience that allows us to get a bird’s eye view perspective on a system, we wanted to focus on operations and repeatable operations to selectively and swiftly be able to categorize images while investigating a case.
This is how we started working on SQL-like queries and actionable playbooks allowing us to assign MITRE ATT&CK tags to queries. Mapping events to MITRE aims at providing analysts with more visibility and clarity to results.
OS Credential Dumping (T1003.002)
Here is an example of playbook for OS Credential Dumping (T1003.002).
name = "OS Credential Dumping with mimikatz" [[query]] threat = "malicious" mitre = ["T1003.002"] sql_query="select processId, commandLine, imageFileName from `Processes/processObject` where imageFileName = 'mimikatz.exe'"
Obfuscated Files or Information (T1027.002)
Here is another one for Obfuscated Files or Information (T1027.002) to identify uncommon sections:
name = "Uncommon section names" [[query]] threat = "suspicious" mitre = ["T1027.002"] sql_query="""select distinct p.processId, p.imageFileName, p.commandLine, s.name from `Processes/processObject` p left join `Processes/processObject.imageFileObject.sections` s on p.identity=s.identity where s.name not in ('.text', '.data', '.rdata', (...), 'RT_DATA', 'RT_CONST') """
Process Injection (T1055.001)
And another one for Process Injection (T1055.001) by looking at allocated pages in processes.
name = "Executable memory pages" [[query]] threat = "malicious" mitre = ["T1055.011 "] sql_query=""" select distinct p.commandLine as commandLine from `Processes/vadObject` as v left join `Processes/processObject` as p on v.identity=p.identity where v.isImage = true and v.protection = 'MM_EXECUTE_READWRITE' """
Indicator of Compromise
Another way IOCs can be leveraged for threat hunting is to use the hashes of executable sections of binaries in memory, similarly to hashes of files on disk we can use queries to search of memory-based IOCs.
select distinct p.processId, p.imageFileName, p.commandLine, s.name from `Processes/processObject` p left join `Processes/processObject.imageFileObject.sections` s on p.identity=s.identity where s.rawMd5Hash='a371492f16c0940507435909603efe88'
Leverage existing signatures such as Sigma to write memory queries!
Let’s take a look at Sigma signatures with the
CommandLine keyword such as
proc_creation_win_powershell_susp_parameter_variation.yml which aims at detecting suspicious PowerShell invocation with a parameter substring such as
exec bypass which corresponds to Command and Scripting Interpreter: PowerShell (T1059.001) from the MITRE ATT&CK techniques.
Here is an example of query to detect the above behavior by querying keywords within the
commandLine variable of
select imageFileName, processId, commandLine from `Processes/processObject` where commandLine like '%exec bypass%'