Endpoint: Investigating Hosts

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Jul 19, 2019
Version 6Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.3 and later.

The Hosts view allows you to investigate on a host, which includes scan details, tracking events related to alerts, anomalies, and process details.

Best Practices

The following are some best practices and tips that may help you investigate efficiently to identify and isolate threats or attacks:

Workflow for Hosts

  • Review hosts with highest risk score and analyze the alerts contributing to the risk. Review the entities, such as file name, processes involved in the alerts. For more information, see Analyze Hosts Using the Risk Score.
  • Review files or processes that created this suspected file, and check if any other files are accessed or created in the Event Analysis view. For more information, see Analyzing Events.
  • Review hosts for rare files in the Active On column. If a file is present on 100 hosts, it might be legitimate. If a file is present on fewer hosts with a high risk score, it could be malicious and needs further investigation.
  • Search Google or VirusTotal with the file hash and review any reported activities. For more information, see Launch an External Lookup for a File.
  • Review the processes, autoruns, files, libraries, drivers, and system information. For example,
    • Search for files in known malware locations. For example,
      • C:\Windows\.
      • C:\Users\<name>\AppData\<uncommon folder>.
      • C:\Users\<name>\AppData\Local\Temp.
      • C:\Windows\Temp\.
    • Search for a particular file name or hash and review the snapshot to check when the file was first seen.

    • Review any network connections established by the process, such as:
      • Domain or IP address.
      • Ports used (common (80 and 443) versus uncommon ports (8080 , 8888, and 3465)) and check if the ports are listening actively.
    • Check the file compile time. If the date is recent, it could be malicious.
    • Check the file creation time on the host.
  • Review reported anomalies, such as suspicious threads, kernel hooks, image hooks, and registry discrepancies. For more information, see Analyze Anomalies.
  • Launch Process Analysis to view the sequence of activities performed on the host by the file or process. For more information, see Analyze Processes.
  • Download suspicious files to the server for deeper analysis. For more information, see Analyzing Downloaded Files.
  • After investigation if a file is found to be malicious you change the status of the file (blacklist or graylist) and block infected or malicious file. For more information, see Changing File Status or Remediate.

View Hosts

You can view all hosts present on a specific Endpoint server or consolidated list of all hosts on multiple Endpoint servers using the Endpoint Broker for analysis. By default, hosts are sorted based on the risk score. To view the hosts:

  1. Go to INVESTIGATE > Hosts.
  2. Select from the following:

    • Endpoint Broker Server to view all hosts across all Endpoint servers. When querying, the Endpoint Broker ignores Endpoint servers that are offline. If the Endpoint server is online but is not responding, the Endpoint Broker waits for 10 seconds, and ignores if it does not respond.
    • Endpoint Server to view hosts on a specific Endpoint server.

      View hosts

  3. Select a host that you want to analyze.
  4. Click a row to view the following details:
    • Host Details displays the host information such as Network Interfaces, operating system, hardware and others.
    • Risk Details displays the distinct alerts associated to the risk score and the alerts severity. Click Critical, High, Medium, or All to display all the alerts. For more information, see Analyzing Risky Users.
  5. Click Show next 100 hosts to view other hosts.
  6. Click the host name to investigate the scan results. For more information, see Analyze Host Details.

Filter Hosts

You can filter hosts on agent version, agent ID, agent mode, agent last seen, last scan time, operating system, hostname, username, managed agents, Mac address, risk score, IPV4, driver error code, security configurations, and agent groups.

Note: While filtering on a large amount of data, use at least one indexed field with the Equals operator for better performance. The following fields are indexed in the database - Hostname, IPv4, Operating System, Last Scan Time, and Risk Score.

Filter Hosts

To search multiple values within a field, set the filter option to Equals, and use || as a separator.

For example, using Equals operator for multiple IPV4 values with a separator ||.

Filtering files

To filter on the agent last seen or last scan time, select the option from the drop-down list. If you select 3 Hours ago for the Last Scan Time, the result displays hosts that were last scanned 3 hours ago or earlier.

To filter on the risk score, use the slider to increase or decrease the values between 0 to 100.

Risk score slider

Click Save to save the search and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click Delete.

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

Adding and Sorting Columns in the Table

By default, the Hosts view displays a few columns and the hosts are sorted based on the risk score. To add or remove columns:

  1. Go to INVESTIGATE > Hosts.
  2. Select the columns by clicking in the right-hand corner.

    Select Columns for Hosts

  3. Scroll down or enter the keyword to search for the column.
  4. Click the arrow on the column header to sort the column in ascending or descending order.

Scan Hosts

You may want to perform an on-demand scan if you want to get the latest snapshot of the host.

When the hosts are scanned, the Endpoint Agent retrieves the following data that can be used for investigation:

  • Drivers, processes, DLLs, files (executables), services, autoruns, anomalies, host file entries, and scheduled tasks running on the host.
  • System information such as network share, installed Windows patches, Windows tasks, logged-in users, bash history, and security products installed.

To start a scan:

  1. Go to INVESTIGATE > Hosts.

  2. Select one or more hosts (up to 100) at a time for an on-demand scan, and do one of the following:

    • Right-click and select Start Scan from the context menu.
    • Click Start Scan in the toolbar.
  3. Click Start Scan in the dialog. This performs a quick scan of all executable modules loaded in memory.

    The following are the scan statuses:

                               
    StatusDescription
    IdleNo scan is in progress.
    Scanning Scan is in progress.

    Pending

    Scan request is sent to the server and the agent will receive the request the next time it communicates with the server.

    CancelStop request is sent to the server and the agent will receive the request the next time it communicates with the server.

Analyze Hosts Using the Risk Score

You can investigate a host by analyzing the risk contributors such as alerts and events to look for suspicious or malicious activity.

To analyze the hosts using the risk score:

  1. Go to INVESTIGATE > Hosts.

    The Hosts view is displayed.

  2. In the Server drop-down list, select the Endpoint server or Endpoint Broker server to view the hosts.

  3. Select the host and do any of the following.
    • Click a row to view the risk associated with the host in the Risk Details panel.
    • Click the hostname to investigate the host.
  4. In the Alert Severity panel, click the alert severity such as Critical, High, Medium, or All.

    The list of distinct alerts is displayed along with the total number of events associated with the alert.

  5. Click an alert to view the associated events.

    View associate events for an alert

    Note: Only the latest 1000 events are displayed.

  6. To view all the metadata associated with a specific event, click the event header. The information such as source path, target path, filename, and others is displayed.

    View metadata associated with a specific event

  7. Hover over one of the meta values for IP, Hostname, Mac, File name, File hash, User, and Domain to view additional information about the specific metadata. A hover box displays a list of the data sources that have context data available for meta value. These are the possible data sources: NetWitness Endpoint, Incidents, Alerts, Hosts, Files, Feeds, and Live Connect.

    View additional information about a metadata

  8. To investigate the original event and destination domain of the event, do any of the following:

    Investigate an event

    • To reconstruct an event in a readable form that matches the original, click the Investigate Original Event link highlighted in blue. For more information on event reconstruction, see the NetWitness Investigate User Guide.

    • For details about the elements associated with an event, click the Investigate Destination Domain link highlighted in blue. For more information on Contextual Information for an Event, see the NetWitness Investigate User Guide.

      Note: Investigate Destination Domain link is not displayed if there is no domain.dst event.

    • To view a list of processes captured on the hosts and investigate a particular process, click the Analyze Process link highlighted in blue. For more information on process analysis, see Investigating a Process.

      Note: Analyze Process link is not displayed if there is no createprocess event.

Analyze Host Details

To look for suspicious files on a host, click the host name and view the details of the host, or start an on-demand scan to get the most recent information. On the right-hand panel, you can view the following:

  • Host Details displays the host information,such as Network interface, operating system, hardware and others.
  • Policy Details displays the complete resolved policy settings.

For more details, see Hosts View - Details Tab.

Analyze Host Details

Search on Snapshots

To investigate a host or to check if it is infected with a known malware, you can search for occurrences of the file name, file path, or SHA-256 checksum.

Note: To search for a SHA-256 checksum, provide the entire hash string in the search box.

The result displays details, such as file name, signature information, along with its interaction with the system (ran as process, library, autorun, service, task, or driver). To view more details for these results, click the category.

For example, a user has clicked and executed a malicious attachment through a phishing email, and downloaded it to C:\Users. To investigate this file:

  1. Go to INVESTIGATE > Hosts.

  2. Select the host that you want to investigate or select the Endpoint Broker server to investigate all the hosts.

  3. In the Details tab, enter the file path C:\Users in the search box.

    The search displays a maximum of 100 results of the executables in this folder. In this example, the file Malware.exe, is an unsigned file that might be malicious. If the search is executed on an Endpoint Broker server, it queries all the Endpoint servers.

    Search snapshot

    This file is run as a Process.

  4. To view details of this file, click Process in the result.

    Search results

    This opens the Process tab where you can view the process details.

Analyze Processes

To analyze the process:

  1. In the Hosts Details view, select the Processes tab.

    Process tab

    The following is an example of the tree view:

    Process tree view

  2. In the Processes Tab, do one of the following:
    • Click a row to view the properties of a process in the right panel.

      Process properties

    • Click the process name to view the process details of a specific process.

      Process details

When reviewing processes, it is important to see the launch arguments. Even legitimate files can be used for malicious purposes, so it is important to view all of them to determine if there is any malicious activity.

For example,

  • rundll32.exe is a legitimate Windows executable that is categorized as a good file. However, an adversary may use this executable to load a malicious DLL. Therefore, when viewing processes, you must view the arguments of the rundll32.exe file.
  • LSASS.EXE is a child to WININIT.EXE. It should not have child processes. Often malware use this executable to dump passwords or mimic to hide on a system (lass.exe, lssass.exe, lsasss.exe, and so on).

  • Most legitimate user applications like Adobe and Web browsers do not spawn child processes like cmd.exe. If you encounter this, investigate the processes.

You can view the sequence of activities performed on the host by the file or process using the process analysis. For more information, see Investigating a Process.

Analyze Autoruns

In the Hosts view, select the Autoruns tab. You can view the autoruns, services, tasks, and cron jobs that are running for the selected host.

For example, in the Services tab, you can look for the file creation time. The compile time is found within each portable executable (PE) file in the PE header. The time stamp is rarely tampered with, even though an adversary can easily change it before deploying to a victim's endpoint. This time stamp can indicate if a new file is introduced. You can compare the time stamp of the file against the created time on the system to find the difference. If a file was compiled a few days ago, but the time stamp of this file on the system shows that it was created a few years ago, it indicates that the file is tampered.

Analyze Files

In the Hosts view, select the Files tab. You can view the list of files scanned on the host at the time of scan. By default, the table displays 100 files. To display more files, click Load More at the bottom of the page.

For example, many trojans write random filenames when dropping their payloads to prevent an easy search across the endpoints in the network based on the filename. If a file is named svch0st.exe, scvhost.exe, or svchosts.exe, it indicates that the legitimate Windows file named svchost.exe is being mimicked.

Analyze Libraries

In the Hosts view, select the Libraries tab. You can view the list of libraries loaded at the time of scan.

For example, a file with high entropy gets flagged as packed. A packed file means that it is compressed to reduce its size (or to obfuscate malicious strings and configuration information).

Analyze Drivers

In the Hosts view, select the Drivers tab. You can view the list of drivers running on the host at the time of scan.

For example, using this panel, you can check if the file is signed or unsigned. A file that is signed by a trusted vendor such as Microsoft and Apple, with the term valid, indicates that it is a good file.

Analyze Anomalies

Note: This tab is available only for advanced agent.

In the Hosts view, select the Anomalies tab. You can view the following details for the selected host:

  • Image hooks - Hooks found in executable images (user-mode or kernel-mode) - IAT, EAT, Inline, exceptionHandler.
  • Kernel hooks - Hooks found on kernel objects (such as Driver Object [Pointers, IRP_MJ, SSDT, IDT, and so on]). This also includes filter devices.
  • Suspicious threads - Threads whose starting address points to memory DLLs or floating code. The threads could be running with either user-mode or kernel-mode privileges. These threads could run malicious code inside a trusted application to execute their own code.
  • Registry discrepancies - The Windows registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components and for applications running on the platform: the kernel, device drivers, services, SAM, user interface, and third party applications all use the registry. The discrepancies between low-level parsing with Win32 registry API are reported.

Note: Anomalies is applicable only for Windows hosts.

For example, hooking is used to intercept calls in a running application and to capture information related to the API invocations. Malicious programs can implant hooks in various system applications for different purposes, such as hiding files, directories, registry entries, intercepting users keystrokes to establish a stealthy communication channel with the attacker.

Analyze System Information

In the Hosts view, select the System Information tab. This panel lists the agent system information. For Windows operating system, the panel displays the host file entries and network shares of that host.

For example, malware might use host file entries to block antivirus updates.

Export Host Details to JSON File

To export host details about a particular snapshot time:

  1. Go to INVESTIGATE > Hosts.
  2. Click the hostname to view the details.
  3. In any of the tabs, select the snapshot time, and click Export to JSON.

Launch an External Lookup for a File

While analyzing a file, you can search Google or VirusTotal with the filename or hash to get more information about the file. To launch the search:

  1. Go to INVESTIGATE > Host Details (Autorun, Files, Drivers, Libraries, or Anomalies tab).

  2. Right-click one or more files, or in the More drop-down list in the toolbar, do the following:

    External Lookup for a File

    • Select Google Lookup to perform a search on the filename, MD5, SHA1, or SHA256.
    • Select VirusTotal Lookup to perform a search on MD5, SHA1, or SHA256.

    Note: To open files in multiple tabs, make sure you enable the pops-up in the browser.

Delete a Host

If the agent is uninstalled on a host or if you no longer require the host scan data, you can manually delete this host from the Hosts view. Deleting a host deletes all scan data associated with the host. To delete hosts:

  1. Go to INVESTIGATE > Hosts.

  2. Select the hosts that you want to delete from the Hosts view and do one of the following:

    Delete hosts

    • Right-click and select Delete from the context menu.
    • Click More drop-down list in the toolbar and select Delete.

Note: If you accidentally delete a host from the Hosts view, the Endpoint Server forbids all requests from this agent. The agent must be uninstalled manually from the host and reinstalled for it to appear on the Hosts view.

Deleting Hosts with Older Agent Versions

After upgrading the 11.1.x and 11.2.x agents to 11.3, if you want to delete the hosts with older versions:

  1. Go to Investigate > Hosts view.

  2. Filter the hosts based on the Agent version, and delete these hosts.

    If you do not delete, the hosts are deleted based on the Data Retention Policy settings.

Set Hosts Preference

By default, the Hosts view displays a few columns and the hosts are sorted based on the risk score. If you want to view specific columns and sort data on a specific field:

  1. Go to INVESTIGATE > Hosts.

  2. Select the columns by clicking Settings in the right-hand corner. The following example shows the drop-down list displayed while adding columns:

    Select Columns

  3. Scroll down or enter the keyword to search for the column in the displayed list.

  4. Sort the data on the required column.

    Note: The selections you make here become your default view every time you log in to the Hosts view.

Export Host Attributes

You can export up to 100,000 host attributes at a time. To extract the host attributes to a csv file:

  1. Go to INVESTIGATE > Hosts.

  2. Filter the hosts by selecting the required filter options.

  3. Add columns by clicking Settings in the right-hand corner.

  4. Click Export to CSV to export the host attributes to a csv file.

    Export to CSV file

You can either save or open the csv file.

Migrate Hosts

Hosts can be migrated from one Endpoint server to another using groups and policy associated with the host. If a host is migrated, the Server column shows as Migrated. The risk score of a migrated host is displayed on all Endpoint servers where it is present.

Note: Some of the actions are disabled for the migrated host on the selected server, such as start scan, start stop, analyze events, and others. If you want to perform the required action, select the Endpoint server to which the host is migrated.

Note: To view only managed hosts, select the Show Only Managed Agents option in the Filters panel.

Analyzing Risky Users

If you have NetWitness UEBA installed, you can view the alerts associated with users logged in on the host. To analyze risky users:

  1. Go to INVESTIGATE > Hosts.

  2. Click the host name you want to analyze.

  3. In the Host Details panel, under the Users category, click the name.

    This opens the Users tab for investigation in a new tab.

    Analyze risky user

Resetting Risk Score of Hosts

You can reset the risk score for a host in these situations:

  • If the alerts or events triggered by the host or files on the host are false positive, you can make changes to the Endpoint Application rules or ESA rules.
  • After you take required action on the host for malicious file activities contributing to the risk score. When you reset the risk score, all the risk calculation for the host is deleted. When you reset the host's risk score, it does not change the file's risk score. You can reset the score for a single host or multiple hosts.

To reset the risk score of a host:

  1. Go to INVESTIGATE > Hosts.

  2. Select the Endpoint Server or Endpoint Broker.

  3. Select one or more hosts and do one of the following:

    Reset risk score for hosts

    • Right-click and select Reset Risk Score from the context menu.
    • Click More ActionsReset Risk Score in the toolbar.

    All the alerts associated with the score are deleted.

    Note: You can select a maximum of 100 hosts to reset the score.

  1. Refresh the page to view and confirm if the host's score is reset. This may take sometime for changes to take effect.

Previous Topic:Investigating Files
You are here
Table of Contents > Investigating Hosts

Attachments

    Outcomes