Investigating a ProcessInvestigating a Process
Note: The information in this topic applies to RSA NetWitness Platform Version 11.3 and later.
Analysts can perform process analysis to investigate a particular process behavior to:
- Understand the entire process event chain, process parent-child relationships, and all associated events in a timeline view.
- Analyze important process attributes, such as username, launch arguments, reputation, file status, signer, signature, risk score, and file path.
The Analyze Process view provides a list of processes captured on hosts in a parent-child hierarchical format over a time range. The process tree is created from the tracking event type "Process event" where the action meta key is createProcess. The agent reports new events for the same createProcess if the following parameters change:
- Parent process filename
- Child process filename
- Launch arguments
- User name
If the above parameters do not change, the event is reported only once every eight hours.
Best PracticesBest Practices
When reviewing a host for malicious activity, there are a few key things to review while looking for malicious processes.
Process Name - When reviewing running processes on a host, check for the name of the program that looks suspicious. Sometimes malware uses random names, such as wzuduje.exe. In some cases, the names might be misleading such as adob3.exe, scvhost.exe, or Microsoft.exe. Being familiar with Windows processes and any type of internal tool that might be used throughout the environment, also helps you to identify potentially malicious or suspicious files.
File Path - Similar to knowing normal and key Windows processes, knowing what path the processes originate from is a key to detect certain processes that imitate the legitimate process. For instance, if you see svchost.exe running on a system from C:\Users\<username>\AppData\Roaming\adobe\ (which is a valid file path), and knowing that the legitimate Windows process originates from C:\Windows\System32\, you can determine that the svchost.exe file starting from the C:\Users\<username>\AppData\Roaming\adobe\ directory is the suspicious one. To help determine further identification of a suspicious process, review the Autoruns tab to see if this process is running as an autorun, service, or task.
File Signature - When a software package is created, it has a valid digital signature. The following are a few exceptions:
- If a process that is running is not digitally signed, it does not automatically confirm that the file is malicious.
- While files may have a valid signature, it does not mean that they are legitimate. There are instances of software identified as a Potentially Unwanted Program (PUP) or Adware, which can have a valid signing certificate.
On Hosts - Indicates the number of hosts on which a file exist. If a file is present on fewer hosts with a high risk score, it may be malicious and needs further investigation.
Reputation - Leveraging the reputation service is a way to find malicious processes.
Analyze events - For further insight to a process, you can analyze console events, network events, file events, process events, and registry events.
- Network events - Look for any suspicious domains to which the process is connecting. Sometimes malware creates legitimate connections to a known site, such as google.com, bing.com to hide its activity on the network. Look for connections to Dynamic DNS domains where a lot of known malicious activity resides. During analysis, consider uncommon processes making direct connections to an IP address or to a uncommon port number.
- File and process events - Review process interactions that have occurred on the system with the suspected file. You can look for key events such as writeToExecutable, renameExecutable, and createRemoteThread, which indicate suspicious behavior.
Leverage other methods
- Look up with Google - You can search the file name or hash value against Google to determine if the file is malicious.
- Look up with VirusTotal – You can search the hash value against the VirusTotal to determine if the file is malicious between multiple AV vendors.
Download file – Download and analyze a file to find indicators such as compile time, imported DLLs, section names, and performing string searches. Look for TLD values (.com, .net, .biz) or debug information of a compiled binary (.pdb), which can be easily changed or forged.
Time stamp values – Review modified, accessed, and created dates associated with the binary. Review how long a file has been residing on a host. While this value is correct most of the time, attackers can change the time stamp values of a file.
Analyze a ProcessAnalyze a Process
Note: Linux is not supported for analyzing a process.
To analyze the process:
Go to Hosts.
Click the hostname.
To analyze process activities of a file, do one of the following:
In the Host Details tab:
a. Click the alert severity.
The list of distinct alerts is displayed along with the total number of events associated with the alert.
b. Click the event header and click the Analyze Process link at the bottom.
Select the Processes tab and do one of the following:
- Right-click a process and select Analyze Process from the context menu.
- Click Analyze Process in the toolbar.
In the following example, the file powershell has invoked mimikatz, which is a tool to extract plain text passwords, hashes, and kerberos tickets from memory.
Clicking Analyze Process displays the process visualization. For each node, the process name, risk score, and type of activity the selected process has performed (network , file , or registry ) are displayed. Optionally, you can change the time range to view data.
You can view the properties, such as process execution details, file properties of the selected process in the bottom of the view.
Note: No result is displayed in the process visualization view if there is no data for last seven days or if there is no createprocess event.
- On the right side of the process visualization view:
- Click Events List to view the associated events. You can also filter events based on the events category. For more information on filtering, see Analyze Events for a Process.
- Click Hosts to view the hosts on which this file is present and the associated risk score. For more information, Analyze Hosts with File Activity.
- Click Risk Details to view the list of distinct alerts, such as Critical, High, Medium and All. For more information, see Analyze Hosts Using the Risk Score.
Hover over the process name to analyze important process attributes, such as username, launch arguments, reputation, file status, signer, signature, and file path.
Click to view the child processes. The Process selection dialog is displayed with the child processes associated with the process based on the risk score. You can filter the result on the event type by clicking icons on the top panel. When no matching event types are available, these filter options are disabled.
Depending on the type of event, the icons are highlights in the Event Types column.
- Click View All to view all child processes or select the required processes and click View selected. The associated events and properties are displayed in the right panel.
Click to change the process selection and click to collapse the view.
Analyze Events for a ProcessAnalyze Events for a Process
To analyze events for the selected process:
Perform steps 1 to 3 in Analyze a Process.
In the process visualization, click the Events tab.
To narrow down the search to find any suspicious indicators, behaviors, or specific type of event, filter on a set of matched events based on a category - Process, File, Registry, Network Event, or Console Event (for Windows).
For example, to view only process events, select the Process Event category, and filter on action.
The result displays the sequence of activities involving this process for the selected filters.
Note: For the console events, the context for local and remote are available only if the data is sent from 11.4 or later agents.