Hunting with MemQueries

Having data is great, but the main question for any analyst or security researcher is often – how can I browse and query this data efficiently? As we move forward with a smooth user experience that allows us to get a bird’s eye view perspective on a system, we wanted to focus on operations and repeatable operations to selectively and swiftly be able to categorize images while investigating a case.

This is how we started working on SQL-like queries and actionable playbooks allowing us to assign MITRE ATT&CK tags to queries. Mapping events to MITRE aims at providing analysts with more visibility and clarity to results.


OS Credential Dumping (T1003.002)

Here is an example of playbook for OS Credential Dumping (T1003.002).

name = "OS Credential Dumping with mimikatz" 

threat = "malicious" 
mitre = ["T1003.002"] 

sql_query="select processId, commandLine, imageFileName from `Processes/processObject` where imageFileName = 'mimikatz.exe'" 

Obfuscated Files or Information (T1027.002)

Here is another one for Obfuscated Files or Information (T1027.002) to identify uncommon sections:

name = "Uncommon section names" 

threat = "suspicious" 
mitre = ["T1027.002"] 

sql_query="""select distinct p.processId, p.imageFileName, p.commandLine, 
  from `Processes/processObject` 
  p left join `Processes/processObject.imageFileObject.sections` s 
  on p.identity=s.identity 
  where not in 
  ('.text', '.data', '.rdata', (...), 'RT_DATA', 'RT_CONST') 

Process Injection (T1055.001)

And another one for Process Injection (T1055.001) by looking at allocated pages in processes.

name = "Executable memory pages" 

threat = "malicious" 
mitre = ["T1055.011 "] 
select distinct p.commandLine as commandLine 
  from `Processes/vadObject` as v  
  left join `Processes/processObject` as p  
  on v.identity=p.identity  
  where  v.isImage = true  and = 'MM_EXECUTE_READWRITE' 

Indicator of Compromise


Another way IOCs can be leveraged for threat hunting is to use the hashes of executable sections of binaries in memory, similarly to hashes of files on disk we can use queries to search of memory-based IOCs.

select distinct p.processId, p.imageFileName, p.commandLine, from `Processes/processObject` p left join `Processes/processObject.imageFileObject.sections` s on p.identity=s.identity where s.rawMd5Hash='a371492f16c0940507435909603efe88'



Leverage existing signatures such as Sigma to write memory queries!

Let’s take a look at Sigma signatures with the CommandLine keyword such as proc_creation_win_powershell_susp_parameter_variation.yml which aims at detecting suspicious PowerShell invocation with a parameter substring such as exec bypass which corresponds to Command and Scripting Interpreter: PowerShell (T1059.001) from the MITRE ATT&CK techniques.

Here is an example of query to detect the above behavior by querying keywords within the commandLine variable of processObject nodes.

select imageFileName, processId, commandLine from `Processes/processObject` where commandLine like '%exec bypass%'