CbR Advanced Query Hunter #235
Description
In some cases, it's desirable to perform some additional CbR process inspection on process or process tree events before firing a detection. It's also desirable to chain together queries and process inspections like a "playbook" and then only firing a detection if all conditions are met.
Example:
Base query/playbook starting point:
process_name:iexplore.exe cmdline:.mht* childproc_name:iexplore.exe
All results from that query would be sent to ACE for analysis (analysis mode) and this CbR Advanced Query Hunter would pick up that analysis.
For this example, the child process of each process result would be inspected to see if an XML file was written. If so, then that would be the detection for this specific example and the ACE analysis would become an Alert and enter correlation mode.
Some things to note:
We will not want this module to work on every process guid observable, so some method should be used for signaling ACE to use this CbR Advanced Query Hunter module. Also, it makes no sense for every "playbook" script to be run against incoming results. For this reason, ACE should manage the "playbooks" from start to finish, aka handle the CbR queries itself through cbinterface. I'm thinking that the playbooks are defined in config files and maintained outside of the ACE project itself as they would be considered intel.