Endpoint: Investigating a Process

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Jul 19, 2019
Version 6Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.3 and later.

Analysts can perform process analysis to investigate a particular process behavior to:

  • Understand the entire process event chain, process parent-child relationships, and all associated events in a timeline view.
  • Analyze important process attributes, such as username, launch arguments, reputation, file status, signer, signature, and file path.

The Analyze Process view provides a list of processes captured on hosts in a parent-child hierarchical format over a time range. The process tree is created from the tracking event type "Process event" where the action meta key is createProcess. The agent reports new events for the same createProcess if the following parameters change:

 

  • Parent process filename
  • Child process filename
  • Launch arguments
  • User name
 

If the above parameters do not change, the event is reported only once every eight hours.

Best Practices

When reviewing a host for malicious activity, there are a few key things to review while looking for malicious processes.

  • Process Name - When reviewing running processes on a host, check for the name of the program that looks suspicious. Sometimes malware uses random names, such as wzuduje.exe. In some cases, the names might be misleading such as adob3.exe, scvhost.exe, or Microsoft.exe. Being familiar with Windows processes and any type of internal tool that might be used throughout the environment, also helps you to identify potentially malicious or suspicious files.

  • File Path - Similar to knowing normal and key Windows processes, knowing what path the processes originate from is a key to detect certain processes that imitate the legitimate process. For instance, if you see svchost.exe running on a system from C:\Users\<username>\AppData\Roaming\adobe\ (which is a valid file path), and knowing that the legitimate Windows process originates from C:\Windows\System32\, you can determine that the svchost.exe file starting from the C:\Users\<username>\AppData\Roaming\adobe\ directory is the suspicious one. To help determine further identification of a suspicious process, review the Autoruns tab to see if this process is running as an autorun, service, or task.

  • File Signature - When a software package is created, it has a valid digital signature. The following are a few exceptions:

    • If a process that is running is not digitally signed, it does not automatically confirm that the file is malicious.
    • While files may have a valid signature, it does not mean that they are legitimate. There are instances of software identified as a Potentially Unwanted Program (PUP) or Adware, which can have a valid signing certificate.
  • Active On - Determines on how many hosts a file is currently active. You can look for suspicious files based on the rarity of a file.

  • Reputation - Leveraging the reputation service is a way to find malicious processes.

  • Analyze events - For further insight to a process, you can analyze console events, network events, file events, process events, and registry events.

    • Network events - Look for any suspicious domains to which the process is connecting. Sometimes malware creates legitimate connections to a known site, such as google.com, bing.com to hide its activity on the network. Look for connections to Dynamic DNS domains where a lot of known malicious activity resides. During analysis, consider uncommon processes making direct connections to an IP address or to a uncommon port number.
    • File and process events - Review process interactions that have occurred on the system with the suspected file. You can look for key events such as writeToExecutable, renameExecutable, and createRemoteThread, which indicate suspicious behavior.
  • Leverage other methods

    • Look up with Google - You can search the file name or hash value against Google to determine if the file is malicious.
    • Look up with VirusTotal – You can search the hash value against the VirusTotal to determine if the file is malicious between multiple AV vendors.
    • Download file – Download and analyze a file to find indicators such as compile time, imported DLLs, section names, and performing string searches. Look for TLD values (.com, .net, .biz) or debug information of a compiled binary (.pdb), which can be easily changed or forged.

    • Time stamp values – Review modified, accessed, and created dates associated with the binary. Review how long a file has been residing on a host. While this value is correct most of the time, attackers can change the time stamp values of a file.

Analyze a Process

Note: Linux is not supported for analyzing a process.

To analyze the process:

  1. Go to INVESTIGATE > Hosts.

  2. Click the hostname.

  3. To analyze process activities of a file, do one of the following:

    • In the Host Details tab:

      a. Click the alert severity.

      The list of distinct alerts is displayed along with the total number of events associated with the alert.

      b. Click the event header and click the Analyze Process link at the bottom.

    • Select the Processes tab and do one of the following:

      - Right-click a process and select Analyze Process from the context menu.

      - Click Analyze Process in the toolbar.

    In the following example, there is one critical alert, where the file powershell has invoked mimikatz, which is a tool to extract plain text passwords, hashes, and kerberos tickets from memory.

    Process event

    Clicking Analyze Process displays the process visualization along with the associated events. Optionally, you can change the time range to view data. Also you can filter the events based on the events category. For more information on filtering, see Analyze Events for a Process.

    Process Analysis

    Note: The result is not displayed in the process visualization view, if there is no data for last seven days or if there is no createprocess event.

  4. Hover over the process name to analyze important process attributes, such as username, launch arguments, reputation, file status, signer, signature, and file path.

    Hover over process name

  5. Click View Process Visualization to load the child processes. The associated events and properties are displayed in the right panel.

Analyze Events for a Process

To analyze events for the selected process:

  1. Perform steps 1 to 5 in Analyze a Process.

  2. In the process visualization, click the Events tab. You can sort the result based on the event time.

  3. To narrow down the search to find any suspicious indicators, behaviors, or specific type of event, filter on a set of matched events based on a category - Process, File, Registry, Network Event, or Console Event (for Windows).

    For example, while viewing events, to view only network connections made by the process, or view the registry modifications done by the process, filter events on these categories.

    Filter events

  4. When you select a category, you have an option filter on action (openProcess, createProcess, and so on). The result displays the sequence of activities involving this process for the selected filters.

    Filter events

Previous Topic:Investigating Hosts
You are here
Table of Contents > Investigating a Process

Attachments

    Outcomes