Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Endpoint: Investigating Hosts

Document created by RSA Information Design and Development Employee on Apr 11, 2019Last modified by RSA Information Design and Development Employee on Sep 10, 2020
Version 28Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness Platform Version 11.3 and later.

The Hosts view allows you to investigate on a host, which includes scan details, tracking events related to alerts, anomalies, and process details.

Best Practices

The following are some best practices and tips that may help you investigate efficiently to identify and isolate threats or attacks:

Workflow for Hosts

  • Review hosts with highest risk score and analyze the alerts contributing to the risk. Review the entities, such as file name, processes involved in the alerts. For more information, see Analyze Hosts Using the Risk Score.
  • Review files or processes that created this suspected file, and check if any other files are accessed or created in the Events view. For more information, see Analyzing Events.
  • Review hosts for rare files in the On Hosts column. If a file is present on 100 hosts, it can be legitimate. If a file is present on fewer hosts with a high risk score, it may be malicious and needs further investigation.
  • Filter to exclude hosts on host status, risk score, hostname, and so on. For more information, see Filter Hosts.

  • Search Google or VirusTotal with the file hash and review any reported activities. For more information, see Launch an External Lookup for a File.
  • Review the processes, autoruns, files, libraries, drivers, and system information. For example,
    • Search for files in known malware locations. For example,
      • C:\Windows\.
      • C:\Users\<name>\AppData\<uncommon folder>.
      • C:\Users\<name>\AppData\Local\Temp.
      • C:\Windows\Temp\.
    • Search for a particular file name or hash and review the snapshot to check when the file was first seen.

    • Review any network connections established by the process, such as:
      • Domain or IP address.
      • Ports used (common (80 and 443) versus uncommon ports (8080 , 8888, and 3465)) and check if the ports are listening actively.
    • Check the file compile time. If the date is recent, it could be malicious.
    • Check the file creation time on the host.
  • Review reported anomalies, such as suspicious threads, kernel hooks, image hooks, and registry discrepancies. For more information, see Analyze Anomalies.
  • Launch Process Analysis to view the sequence of activities performed on the host by the file or process. For more information, see Analyze Processes.
  • Download suspicious files to the server for deeper analysis. For more information, see Analyzing Downloaded Files.
  • Download MFT, process, or system dump to the server for forensic investigation. For more information, see Performing Host Forensics.
  • After investigation if a file is found to be malicious you change the status of the file (blacklist or graylist) and block infected or malicious file. For more information, see Changing File Status or Remediate.
  • (Optional) If you suspect that a host is potentially compromised with the threat still being active, you can isolate the host from the network and safely investigate possible threats within the host. For more information, see Isolating Hosts from Network.

View Hosts

You can view all hosts present on a specific Endpoint server or consolidated list of all hosts on multiple Endpoint servers using the Endpoint Broker for analysis. By default, hosts are sorted based on the risk score. To view the hosts:

  1. Go to Hosts.
  2. Select from the following:

    • Endpoint Broker Server to view all hosts across all Endpoint servers. When querying, the Endpoint Broker ignores Endpoint servers that are offline. If the Endpoint server is online but is not responding, the Endpoint Broker waits for 10 seconds, and ignores if it does not respond.
    • Endpoint Server to view hosts on a specific Endpoint server.

      View hosts 

  3. Select a host that you want to analyze.
  4. Click a row to view the following details:
    • Host Details displays the host information such as Network Interfaces, operating system, hardware and others.
    • Risk Details displays the distinct alerts associated to the risk score and the alerts severity. Click Critical, High, Medium, or All to display all the alerts. For more information, see Analyzing Risky Users.
  5. Click Show next 100 hosts to view other hosts.
  6. Click the host name to investigate the scan results. For more information, see Analyze Host Details.

View Agent History

You can view the list of commands issued to the agents (by the server or actions performed by any analyst) in the Host view and Host details. By default, commands are sorted based on the command time.

To view the commands:

  1. Go to Hosts.
  2. Do any one of the following,
    • To view all commands, click . You can also filter commands, for more information see Filter Hosts.

    The Agent History view is displayed. For more details, see Analyze History.

    • To view commands specific to a particular host:
      • Click the host for which you want to view the commands.
      • In the Host details view, click History tab. You can also filter commands, for more information see Filter Host Details.
        The History view is displayed. For more details, see Analyze History.

Filter Hosts

You can filter hosts on agent version, agent ID, agent mode, agent last seen, last scan time, operating system, hostname, username, Mac address, risk score, IPV4, driver error code, security configurations, agent groups, and host status - managed, roaming, and isolated.

In the Host view > click , to filter the commands on command type, status, host name, request type, command parameter and command time. In the Command Time field, you can filter by custom date range.

Note: While filtering on a large amount of data, use at least one indexed field with the Equals operator for better performance. The following fields are indexed in the database - Hostname, IPv4, Operating System, Last Scan Time, and Risk Score.

Filter Hosts

To search multiple values within a field, set the filter option to Equals, and use || as a separator.

For example, using Equals operator for multiple IPV4 values with a separator ||.

Filtering files

To filter on the agent last seen or last scan time, select the option from the drop-down list. If you select 3 Hours ago for the Last Scan Time, the result displays hosts that were last scanned 3 hours ago or earlier.

To filter on the risk score, use the slider to increase or decrease the values between 0 to 100.

Risk score slider

Click Save to save the filter and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click Delete.

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

You can also filter the commands on command type, status, host name, request type, command parameter and command time (In which you can filter by custom date range), by clicking .

Adding and Sorting Columns in the Table

By default, the Hosts view displays a few columns and the hosts are sorted based on the risk score. To add or remove columns:

  1. Go to Hosts.
  2. Select the columns by clicking in the right-hand corner.

    Select Columns for Hosts

  3. Scroll down or enter the keyword to search for the column.
  4. Click the arrow on the column header to sort the column in ascending or descending order.

Scan Hosts

You may want to perform an on-demand scan if you want to get the latest snapshot of the host.

When the hosts are scanned, the Endpoint Agent retrieves the following data that can be used for investigation:

  • Drivers, processes, DLLs, files (executables), services, autoruns, anomalies, host file entries, and scheduled tasks running on the host.
  • System information such as network share, installed Windows patches, Windows tasks, logged-in users, bash history, and security products installed.

To start a scan:

  1. Go to Hosts.

  2. Select one or more hosts (up to 100) at a time for an on-demand scan, and do one of the following:

    • Right-click and select Start Scan from the context menu.
    • Click Start Scan in the toolbar.
  3. Click Start Scan in the dialog. This performs a quick scan of all executable modules loaded in memory.

    The following are the scan statuses:

                               
    StatusDescription
    IdleNo scan is in progress.
    Scanning Scan is in progress.

    Pending

    Scan request is sent to the server and the agent will receive the request the next time it communicates with the server.

    CancelStop request is sent to the server and the agent will receive the request the next time it communicates with the server.

Analyze Hosts Using the Risk Score

You can investigate a host by analyzing the risk contributors such as alerts and events to look for suspicious or malicious activity.

To analyze the hosts using the risk score:

  1. Go to Hosts.

    The Hosts view is displayed.

  2. In the Server drop-down list, select the Endpoint server or Endpoint Broker server to view the hosts.

  3. Select the host and do any of the following.
    • Click a row to view the risk associated with the host in the Risk Details panel.
    • Click the hostname to investigate the host.
  4. In the Alert Severity panel, click the alert severity such as Critical, High, Medium, or All.

    The list of distinct alerts is displayed along with the total number of events associated with the alert.

  5. Click an alert to view the associated events.

    View associate events for an alert

    Note: Only the latest 1000 events are displayed.

  6. To view all the metadata associated with a specific event, click the event header. The information such as source path, target path, filename, and others is displayed.

    View metadata associated with a specific event

  7. Hover over one of the meta values for IP, Hostname, Mac, File name, File hash, User, and Domain to view additional information about the specific metadata. A hover box displays a list of the data sources that have context data available for meta value. These are the possible data sources: NetWitness Endpoint, Incidents, Alerts, Hosts, Files, Feeds, and Live Connect.

    View additional information about a metadata

  8. To investigate the original event and destination domain of the event, do any of the following:

    Investigate an event

    • To reconstruct an event in a readable form that matches the original, click the Investigate Original Event link highlighted in blue. For more information on event reconstruction, see the NetWitness Investigate User Guide.

    • For details about the elements associated with an event, click the Investigate Destination Domain link highlighted in blue. For more information on Contextual Information for an Event, see the NetWitness Investigate User Guide.

      Note: Investigate Destination Domain link is not displayed if there is no domain.dst event.

    • To view a list of processes captured on the hosts and investigate a particular process, click the Analyze Process link highlighted in blue. For more information on process analysis, see Investigating a Process.

      Note: Analyze Process link is not displayed if there is no createprocess event.

Analyze Host Details

To look for suspicious files on a host, click the host name and view the details of the host, or start an on-demand scan to get the most recent information. On the right-hand panel, you can view the following:

  • Host Details displays the host information, such as Network interface, operating system, hardware and others.

  • Policy Details displays the complete resolved policy settings.

For more details, see Hosts View - Details Tab.

Analyze Host Details

Filter Host Details

In the Processes, Autoruns, Files, Drivers, Libraries, and Anomalies tabs, you can filter the processes or files on file status, reputation, file or process name, signature, and risk score. Click Save to save the filter and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click Delete.

In the Host view > Files tab, you can filter the files available on host, and files deleted from host. The result of files deleted from host depends on the data retention policy configured in the Endpoint Config view > Data Retention Scheduler tab. By default, data retention policy is configured for 30 days, this means only 30 days of deleted files are stored in the Endpoint server. These filter options are disabled if All Files Available on Host toggle is disabled.

In the Host view > History tab, you can filter the commands on command type, status, host name, request type, command parameter and command time. In the Command Time field, you can filter by custom date range.

Click Save to save the filter and provide a name (up to 250 alphanumeric characters).The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click .

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

Search Files on Host

To investigate a host or to check if it is infected with a known malware, you can search for occurrences of the file name, file path, or SHA-256 checksum.

Note: To search for a SHA-256 checksum, provide the entire hash string in the search box.

The result displays the matching files present on the host in All Files Available on Host category and in the respective snapshot category with the details, such as file name, signature information,and checksum. In addition, the snapshot category displays the system interaction, for example, ran as process, library, autorun, service, task, or driver. To view more details, click the filename or system interaction link.

Example, a user has clicked and executed a malicious attachment through a phishing email, and downloaded it to C:\Users. To investigate this file:

  1. Go to Hosts.

  2. Select the host that you want to investigate or select the Endpoint Broker server to investigate all the hosts.

  3. In the Details tab, enter the file path C:\Users in the search box.

    The search displays a maximum of 100 results of the executables in this folder. In this example, the file Malware.exe, is an unsigned file that might be malicious. If the search is executed on an Endpoint Broker server, it queries all the Endpoint servers.

    This file is run as a Process.

  4. To view details of this file, click Process in the result.

    This opens the Process tab where you can view the process details.

Analyze Processes

To analyze the process:

  1. In the Hosts details, select the Processes tab.

    Process tab

    To view the process tree, click the toggle switch. The following is an example of the tree view:

    Process tree view

  2. In the Processes Tab, do one of the following:

    • Click a row to view the properties of a process in the right panel.

      Process properties

    • Click the process name to view the process details of a specific process.

      Process details

When reviewing processes, it is important to see the launch arguments. Even legitimate files can be used for malicious purposes, so it is important to view all of them to determine if there is any malicious activity.

For example,

  • rundll32.exe is a legitimate Windows executable that is categorized as a good file. However, an adversary may use this executable to load a malicious DLL. Therefore, when viewing processes, you must view the arguments of the rundll32.exe file.
  • LSASS.EXE is a child to WININIT.EXE. It should not have child processes. Often malware use this executable to dump passwords or mimic to hide on a system (lass.exe, lssass.exe, lsasss.exe, and so on).

  • Most legitimate user applications like Adobe and Web browsers do not spawn child processes like cmd.exe. If you encounter this, investigate the processes.

You can view the sequence of activities performed on the host by the file or process using the process analysis. For more information, see Investigating a Process.

Analyze Autoruns

In the Hosts details, select the Autoruns tab. You can view the autoruns, services, tasks, and cron jobs that are running for the selected host.

For example, in the Services tab, you can look for the file creation time. The compile time is found within each portable executable (PE) file in the PE header. The time stamp is rarely tampered with, even though an adversary can easily change it before deploying to a victim's endpoint. This time stamp can indicate if a new file is introduced. You can compare the time stamp of the file against the created time on the system to find the difference. If a file was compiled a few days ago, but the time stamp of this file on the system shows that it was created a few years ago, it indicates that the file is tampered.

Analyze Files

To analyze the files, you can do either one of the following based on your requirement.

  • In the Hosts view, select the Files tab.
    You can view the list of all files (reported as part of scan and tracking) on the host including the deleted files.
  • To view the files reported as part of scan snapshot, you must disable All Files Available On Host toggle and select the scan time form the Snapshot drop-down list.

Example for analyze files, many trojans write random filenames when dropping their payloads to prevent an easy search across the endpoints in the network based on the filename. If a file is named svch0st.exe, scvhost.exe, or svchosts.exe, it indicates that the legitimate Windows file named svchost.exe is being mimicked.

Analyze Libraries

In the Hosts details, select the Libraries tab. You can view the list of libraries loaded at the time of scan.

For example, a file with high entropy gets flagged as packed. A packed file means that it is compressed to reduce its size (or to obfuscate malicious strings and configuration information).

Analyze Drivers

In the Hosts details, select the Drivers tab. You can view the list of drivers running on the host at the time of scan.

For example, using this panel, you can check if the file is signed or unsigned. A file that is signed by a trusted vendor such as Microsoft and Apple, with the term valid, indicates that it is a good file.

Analyze Anomalies

Note: This tab is available only for advanced agent.

In the Hosts details, select the Anomalies tab. You can view the following details for the selected host:

  • Image hooks - Hooks found in executable images (user-mode or kernel-mode) - IAT, EAT, Inline, exceptionHandler.
  • Kernel hooks - Hooks found on kernel objects (such as Driver Object [Pointers, IRP_MJ, SSDT, IDT, and so on]). This also includes filter devices.
  • Suspicious threads - Threads whose starting address points to memory DLLs or floating code. The threads could be running with either user-mode or kernel-mode privileges. These threads could run malicious code inside a trusted application to execute their own code.
  • Registry discrepancies - The Windows registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components and for applications running on the platform: the kernel, device drivers, services, SAM, user interface, and third party applications all use the registry. The discrepancies between low-level parsing with Win32 registry API are reported.

Note: Anomalies is applicable only for Windows hosts.

For example, hooking is used to intercept calls in a running application and to capture information related to the API invocations. Malicious programs can implant hooks in various system applications for different purposes, such as hiding files, directories, registry entries, intercepting users keystrokes to establish a stealthy communication channel with the attacker.

Analyze System Information

In the Hosts details, select the System Information tab. This panel lists the agent system information. For Windows operating system, the panel displays the host file entries and network shares of that host.

For example, malware might use host file entries to block antivirus updates.

Analyze History

In the Host details, select the History tab. This tab lists the commands along with the respective status and additional details.

 

 

When you review the history, look for the command status and retrieval count to check if the agent retrieved the commands.

Below are some examples:

  • A file download command is issued, but the file is deleted on the host. In this case status of the command is failed as the file is not downloaded.
  • The retrieval count increases, but the command is not processed. This happens when an analyst requests a large number of files (For example, MFT, system dump, or process dump), and the connection breaks when the agent uploads these files.
  • If the agent command is not retrieved, the agent is either offline or busy processing other commands (For example, uploading a system dump). In this case, the status of the command shows pending.
  

 

To view more details, click the Hostname link highlighted in blue. The Hosts details view is displayed.
In the case of MFT, download file, system dump, and process dump command types, Downloads tab is displayed with details such as file name, type, status, size, downloaded time and SHA256 of the file, when you click on the Hostname link.

 

Export Host Details or Files to JSON File

Note: Export Host details option is disabled if there is no snapshot time.

To export host details or files to JSON file:

  1. Go to Hosts.
  2. Select the hostname to open the host details.
  3. Click (More) beside the hostname and do any of the following:
    •  To export the scan data categories for the host, select Export Host Details. This exports files such as:
      • allfiles.json - This file consists of the file name, file path, signature, file checksum, and so on that is reported as part of scan and tracking.
      • fileContext.json - This file consists of the file name, file path, signature, file checksum, and so on that is reported during the host scan.
      • machinedetails.json - This file consists of the machine details, including hardware, operating system, interfaces, and so on, along with the agent details like version, policy details.

    Note: If Endpoint Broker is selected and a host is communicated with multiple Endpoint servers, during the host details export, all files and details of the host are exported from the Endpoint server where the selected snapshot is stored.

    Note: allfiles.json file is exported irrespective of the selected snapshot.

    • To export all the files available on the host, select Export Files. This exports:
      • allfiles.json - This file consists of the file name, file path, signature, file checksum, and so on that is reported as part of scan and tracking.

Launch an External Lookup for a File

While analyzing a file, you can search Google or VirusTotal with the filename or hash to get more information about the file. To launch the search:

  1. Go to Hosts > Host Details (Autorun, Files, Drivers, Libraries, or Anomalies tab).

  2. Right-click one or more files, or in the More Actions drop-down list in the toolbar, do the following:

    External Lookup for a File

    • Select Google Lookup to perform a search on the filename, MD5, SHA1, or SHA256.
    • Select VirusTotal Lookup to perform a search on MD5, SHA1, or SHA256.

    Note: To open files in multiple tabs, make sure you enable the pops-up in the browser.

Delete a Host

If the agent is uninstalled on a host or if you no longer require the host scan data, you can manually delete this host from the Hosts view. Deleting a host deletes all scan data associated with the host. To delete hosts:

  1. Go to Hosts.

  2. Select the hosts that you want to delete from the Hosts view and do one of the following:

    Delete hosts

    • Right-click and select Delete from the context menu.
    • Click More drop-down list in the toolbar and select Delete.

Note: If you accidentally delete a host from the Hosts view, the Endpoint Server forbids all requests from this agent. The agent must be uninstalled manually from the host and reinstalled for it to appear on the Hosts view.

Deleting Hosts with Older Agent Versions

After upgrading the 11.1.x and 11.2.x agents to 11.3 or later, if you want to delete the hosts with older versions:

  1. Go to Hosts view.

  2. Filter the hosts based on the Agent version, and delete these hosts.

    If you do not delete, the hosts are deleted based on the Data Retention Policy settings.

Set Hosts Preference

By default, the Hosts view displays a few columns and the hosts are sorted based on the risk score. If you want to view specific columns and sort data on a specific field:

  1. Go to Hosts.

  2. Select the columns by clicking Settings in the right-hand corner. The following example shows the drop-down list displayed while adding columns:

    Select Columns

  3. Scroll down or enter the keyword to search for the column in the displayed list.

  4. Sort the data on the required column.

    Note: The selections you make here become your default view every time you log in to the Hosts view.

Export Host Attributes

You can export up to 100,000 host attributes at a time. To extract the host attributes to a csv file:

  1. Go to Hosts.

  2. Filter the hosts by selecting the required filter options.

  3. Add columns by clicking Settings in the right-hand corner.

  4. Click Export to CSV to export the host attributes to a csv file.

    Export to CSV file

You can either save or open the csv file.

Migrate Hosts

Hosts can be migrated from one Endpoint server to another using groups and policy associated with the host. If a host is migrated, the Server column shows as Migrated. On all the tabs within the Hosts view, the message Host is migrated to <Server-name> is displayed. You view the host details by clicking the <Server-name>. The risk score of a migrated host is displayed on all Endpoint servers where it is present.

Note: Some of the actions are disabled for the migrated host on the selected server, such as start scan, start stop, analyze events, and others. If you want to perform the required action, select the Endpoint server to which the host is migrated.

Note: To view only managed hosts, select the Show Only Managed Agents option in the Filters panel.

Analyzing Risky Users

If you have NetWitness UEBA installed, you can view the alerts associated with users logged in on the host. To analyze risky users:

  1. Go to Hosts.

  2. Click the host name you want to analyze.

  3. In the Host Details panel, under the Users category, click the name.

    This opens the Entities tab for investigation in a new tab.

    Analyze risky user

Resetting Risk Score of Hosts

You can reset the risk score for a host in these situations:

  • If the alerts or events triggered by the host or files on the host are false positive, you can make changes to the Endpoint Application rules or ESA rules.
  • After you take required action on the host for malicious file activities contributing to the risk score. When you reset the risk score, all the risk calculation for the host is deleted. When you reset the host's risk score, it does not change the file's risk score. You can reset the score for a single host or multiple hosts.

To reset the risk score of a host:

  1. Go to Hosts.

  2. Select the Endpoint Server or Endpoint Broker.

  3. Select one or more hosts and do one of the following:

    Reset risk score for hosts

    • Right-click and select Reset Risk Score from the context menu.
    • Click More ActionsReset Risk Score in the toolbar.

    All the alerts associated with the score are deleted.

    Note: You can select a maximum of 100 hosts to reset the score.

  1. Refresh the page to view and confirm if the host's score is reset. This may take sometime for changes to take effect.

Previous Topic:Investigate Files
You are here
Table of Contents > Investigate Hosts

Attachments

    Outcomes