Hunting with MemQueries
Having data is great, but the main question for any analyst or security researcher is often – how can I browse and query this data efficiently? As we move forward with a smooth user experience that allows us to get a bird’s eye view perspective on a system, we wanted to focus on operations and repeatable operations to selectively and swiftly be able to categorize images while investigating a case.
This is how we started working on SQL-like queries and actionable playbooks allowing us to assign MITRE ATT&CK tags to queries. Mapping events to MITRE aims at providing analysts with more visibility and clarity to results.
OS Credential Dumping (T1003.002)
Here is an example of playbook for OS Credential Dumping (T1003.002).
name = "OS Credential Dumping with mimikatz" [[query]] threat = "malicious" mitre = ["T1003.002"] sql_query="select processId, commandLine, imageFileName from `Processes/processObject` where imageFileName = 'mimikatz.exe'"
Obfuscated Files or Information (T1027.002)
Here is another one for Obfuscated Files or Information (T1027.002) to identify uncommon sections:
name = "Uncommon section names" [[query]] threat = "suspicious" mitre = ["T1027.002"] sql_query="""select distinct p.processId, p.imageFileName, p.commandLine, s.name from `Processes/processObject` p left join `Processes/processObject.imageFileObject.sections` s on p.identity=s.identity where s.name not in ('.text', '.data', '.rdata', (...), 'RT_DATA', 'RT_CONST') """
Process Injection (T1055.001)
And another one for Process Injection (T1055.001) by looking at allocated pages in processes.
name = "Executable memory pages" [[query]] threat = "malicious" mitre = ["T1055.011 "] sql_query=""" select distinct p.commandLine as commandLine from `Processes/vadObject` as v left join `Processes/processObject` as p on v.identity=p.identity where v.isImage = true and v.protection = 'MM_EXECUTE_READWRITE' """
Indicator of Compromise
Another way IOCs can be leveraged for threat hunting is to use the hashes of executable sections of binaries in memory, similarly to hashes of files on disk we can use queries to search of memory-based IOCs.
select distinct p.processId, p.imageFileName, p.commandLine, s.name from `Processes/processObject` p left join `Processes/processObject.imageFileObject.sections` s on p.identity=s.identity where s.rawMd5Hash='a371492f16c0940507435909603efe88'
Leverage existing signatures such as Sigma to write memory queries!
Let’s take a look at Sigma signatures with the
CommandLine keyword such as
proc_creation_win_powershell_susp_parameter_variation.yml which aims at detecting suspicious PowerShell invocation with a parameter substring such as
exec bypass which corresponds to Command and Scripting Interpreter: PowerShell (T1059.001) from the MITRE ATT&CK techniques.
Here is an example of query to detect the above behavior by querying keywords within the
commandLine variable of
select imageFileName, processId, commandLine from `Processes/processObject` where commandLine like '%exec bypass%'