Investigating Hosts

Note: The information in this topic applies to NetWitness Version 11.3 and later.

The Hosts view allows you to investigate on a host, which includes scan details, tracking events related to alerts, anomalies, and process details.

Best Practices

The following are some best practices and tips that may help you investigate efficiently to identify and isolate threats or attacks:

netwitness_workflowhosts.png

  • Review hosts with highest risk score and analyze the alerts contributing to the risk. Review the entities, such as file name, processes involved in the alerts. For more information, see Analyze Hosts Using the Risk Score.
  • Review files or processes that created this suspected file, and check if any other files are accessed or created in the Events view. For more information, see Analyzing Events.
  • Review hosts for rare files in the On Hosts column. If a file is present on 100 hosts, it can be legitimate. If a file is present on fewer hosts with a high risk score, it may be malicious and needs further investigation.
  • Filter to exclude hosts on host status, risk score, hostname, and so on. For more information, see Filter Hosts.

  • Search Google or VirusTotal with the file hash and review any reported activities. For more information, see Launch an External Lookup for a File.
  • Review the processes, autoruns, files, libraries, drivers, and system information. For example,
    • Search for files in known malware locations. For example,
      • C:\Windows\.
      • C:\Users\<name>\AppData\<uncommon folder>.
      • C:\Users\<name>\AppData\Local\Temp.
      • C:\Windows\Temp\.
    • Search for a particular file name or hash and review the snapshot to check when the file was first seen.

    • Review any network connections established by the process, such as:
      • Domain or IP address.
      • Ports used (common (80 and 443) versus uncommon ports (8080 , 8888, and 3465)) and check if the ports are listening actively.
    • Check the file compile time. If the date is recent, it could be malicious.
    • Check the file creation time on the host.
  • Review reported anomalies, such as suspicious threads, kernel hooks, image hooks, and registry discrepancies. For more information, see Analyze Anomalies.
  • Launch Process Analysis to view the sequence of activities performed on the host by the file or process. For more information, see Analyze Processes.
  • Download suspicious files to the server for deeper analysis. For more information, see Analyzing Downloaded Files.
  • Download MFT, process, or system dump to the server for forensic investigation. For more information, see Performing Host Forensics.
  • After investigation if a file is found to be malicious you change the status of the file (blacklist or graylist) and block infected or malicious file. For more information, see Changing File Status or Remediate.
  • (Optional) If you suspect that a host is potentially compromised with the threat still being active, you can isolate the host from the network and safely investigate possible threats within the host. For more information, see Isolating Hosts from Network.

View Hosts

You can view all hosts present on a specific Endpoint server or consolidated list of all hosts on multiple Endpoint servers using the Endpoint Broker for analysis. By default, hosts are sorted based on the risk score. To view the hosts:

  1. Go to Hosts.
  2. Select from the following:

    • Endpoint Broker Server to view all hosts across all Endpoint servers. When querying, the Endpoint Broker ignores Endpoint servers that are offline. If the Endpoint server is online but is not responding, the Endpoint Broker waits for 10 seconds, and ignores if it does not respond.
    • Endpoint Server to view hosts on a specific Endpoint server.

      netwitness_12.1_hosts_view_endpoint_1122_1175x556.png

  3. Select a host that you want to analyze.
  4. Click a row to view the following details:
    • Host Details displays the host information such as Network Interfaces, operating system, hardware and others.
    • Risk Details displays the distinct alerts associated to the risk score and the alerts severity. Click Critical, High, Medium, or All to display all the alerts. For more information, see Analyzing Risky Users.
  5. Click Show next 100 hosts to view other hosts.
  6. Click the host name to investigate the scan results. For more information, see Analyze Host Details.

Manage Hosts Using Tags

From version 11.7 and later, NetWitness Platform allows you to create Tags to manage the hosts effectively. Tags are custom texts that you can create and assign to hosts for identifying them. A tag can contain alphabets, numbers and special characters(Except \ ' , [ ] " and space). You can use these tags to create host groups. You can also filter hosts by tags using the filters pane on the Hosts screen.

Manage Tags

The Manage Tags option allows you to create and delete tags without selecting any hosts.

To Create Tags:

  1. Click Tags > Manage Tags on the Hosts tab.

    netwitness_12.1_tags_manage_tags._1122_1375x135.png

  2. Enter a valid tag in the text field on the Manage Tags pop-up and click netwitness_plus.jpg.

    netwitness_createtag.jpg

    • The tag is created, and a success message will appear.

    netwitness_12.1_crtagsu_1122.jpg

  3. Repeat step 2 to create more tags.

To Delete Tags:

  1. Click Tags > Manage Tags on the Hosts tab.

    netwitness_12.1_tags_manage_tags._1122_1375x135.png

  2. Select the tags that you want to delete and click Delete on the Manage Tags pop-up.

    netwitness_deltagpp.jpg

  3. Click Delete on the Delete Tags confirmation pop-up.

    netwitness_deltagpp2.jpg

    Note: The tags you deleted will also be unassigned from all associated hosts. If the associated hosts are a part of groups created using these tags as one of the criteria, then the hosts will no longer be a part of those groups. Refer What happens next after unassigning or deleting tags from hosts? for more information.

Assign tags

  1. Select one or more hosts on the Hosts tab.

  2. Select Tags > Assign Tags from the menu.

    netwitness_12.1_assign_tags_hosts_endpoint_1122_1690x164.png

    (or)

  3. Select a host, right click and select Assign Tags.

    netwitness_12.1_select_host_assign_tags_endpoint_1122_1938x766.png

  4. The Assign Tags pop-up will appear and shows all the existing tags. You can either

    • Enter a valid tag and click netwitness_plus.jpg to create it. The newly created tag is selected by default.

    netwitness_astagpp2.png

    (Or)

    • Search for an existing tag using the text field and select it if required.

    netwitness_astagpp.png

  5. Click Assign. These tags will be assigned to the selected hosts.

  6. netwitness_12.1_astag2_1122.png

Create and Assign Tags When Generating the Agent Packager

You can add tags to the hosts while installing the Endpoint agents. When generating the agent packager on the Agent Packager tab, you can either create new tags or select already existing tags. These tags will automatically be assigned to the host in which the agent will be installed.

  1. Click Assign Tags under TAG CONFIGURATION on the Agent Packager tab.

  2. netwitness_agpack.jpg

  3. On the Assign Tags pop-up,

    • Search for an existing tag using the text field and click Assign.

    netwitness_agpackpp.jpg

    (or)

    • Enter a new tag in the text field and click netwitness_plus.jpg to add it to the selection. Click Assign.

  4. Assigned tags will appear under SELECTED TAGS.

netwitness_agpaksetag.jpg

Unassign tags

  1. Select one or more hosts on the Hosts tab.

  2. Select Tags > Unassign Tags from the menu.

  3. netwitness_12.1_unassign_tags_hosts_endpoint_1122_1952x229.png

    (or)

    Right click on a host and select Unassign Tags. The Unassign Tags pop-up will appear and shows all the tag assigned to the selected hosts.

    netwitness_12.1_select_hosts_unassign_tags_endpoint_1122_1622x633.png

  4. Search for the tags you want to unassign, select them and click Unassign.

  5. netwitness_unaspp.jpg

  6. Click Unassign on the confirmation pop-up.

  7. netwitness_unasppcnf.jpg

  8. These tags will be Unassigned from the selected hosts.

netwitness_12.1_unasbanner_1122.png

What happens next after unassigning or deleting tags from hosts?

Unassigning/deleting tags from hosts will immediately initiate group & policy evaluation. For example, if a host is a part of the group created using only the unassigned/deleted tag as criteria, the host will no longer be a part of that group. Refer to the following scenarios to understand more.

Example Scenario 1: Assume you create a group with a couple of tags as grouping criteria, all the hosts with these tags assigned will be a part of the group. And, if you delete these two tags(or unassigning from the hosts), the hosts may no longer be a part of this group.

Example Scenario 2: Assume you create a group with a couple of tags and IP addresses as grouping criteria; all the hosts assigned with these tags and IP addresses will be a part of the group. And, if you delete(or unassigning from the hosts) the tags alone, the hosts may still be a part of this group as they are still grouped using the IP addresses.

View Agent History

You can view the list of commands issued to the agents (by the server or actions performed by any analyst) in the Host view and Host details. By default, commands are sorted based on the command time.

To view the commands:

  1. Go to Hosts.
  2. Do any one of the following,
    • To view all commands, click netwitness_hisicon_30x32.png. You can also filter commands, for more information see Filter Hosts.
      netwitness_hisicohig.png

    The Agent History view is displayed. For more details, see Analyze History.

    • To view commands specific to a particular host:
      • Click the host for which you want to view the commands.
      • In the Host details view, click History tab. You can also filter commands, for more information see Filter Host Details.
        The History view is displayed. For more details, see Analyze History.
        netwitness_history_tab_hosts_view.png

Filter Hosts

You can filter hosts on agent version, agent ID, agent mode, agent upgrade, agent last seen, last scan time, operating system, hostname, username, Mac address, risk score, IPV4, driver error code, security configurations, agent groups, and host status - managed, roaming, and isolated.

In the Host view > click netwitness_hisicon_30x32.png, to filter the commands on command type, status, host name, request type, command parameter and command time. In the Command Time field, you can filter by custom date range.

Note: While filtering on a large amount of data, use at least one indexed field with the Equals operator for better performance. The following fields are indexed in the database - Hostname, IPv4, Operating System, Last Scan Time, and Risk Score.

netwitness_12.1_hosfil_1122_674x516.png

To search multiple values within a field, set the filter option to Equals, and use || as a separator.

For example, using Equals operator for multiple IPV4 values with a separator ||.

netwitness_eqlsop_274x460.png

To filter on the agent last seen or last scan time, select the option from the drop-down list. If you select 3 Hours ago for the Last Scan Time, the result displays hosts that were last scanned 3 hours ago or earlier.

To filter on the risk score, use the slider to increase or decrease the values between 0 to 100.

netwitness_riskscoreslider_280x467.png

Click Save to save the filter and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click netwitness_deleteicon_15x15.png.

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

To filter the agents based on the upgrade status, select one of the upgrade statuses. For example, select the Upgrade Available checkbox to get the list of agents available for an upgrade.

netwitness_upgrade_available_269x446.png

To filter the agents based on single or multiple agent groups, select a group from the drop-down list. You can also search the name of the groups from this list.

netwitness_agent_group_275x363.png

To filter the agents based on the installation status, select one of the installation statuses. For example, select the Uninstalled checkbox to get the list of agents for which the uninstall is initiated or successfully completed.

netwitness_agent_status_275x465.png

You can also filter the commands on command type, status, host name, request type, command parameter and command time (In which you can filter by custom date range), by clicking netwitness_hisicon_32x34.png.

Adding and Sorting Columns in the Table

By default, the Hosts view displays a few columns and the hosts are sorted based on the risk score. To add or remove columns:

  1. Go to Hosts.
  2. Select the columns by clicking netwitness_colchooser.png in the right-hand corner.

    netwitness_colsel.png

  3. Scroll down or enter the keyword to search for the column.
  4. Click the arrow on the column header to sort the column in ascending or descending order.

Scan Hosts

You may want to perform an on-demand scan if you want to get the latest snapshot of the host.

You can either choose to perform a quick scan or a full system scan.

Quick scan - Scans all executable files that are loaded in memory. Both Insights and Advanced agents support quick scan.

Full System Scan - Scans all fixed drives or the system drive You can perform a full system scan only on advanced agents that are in version 11.6 or later. Native executables are included in the full system scan, by default

When hosts are scanned, the Endpoint Agent retrieves the following data that can be used for investigation:

  • Drivers, processes, DLLs, files (executables), services, autoruns, anomalies, host file entries, and scheduled tasks running on the host.
  • System information such as network share, installed Windows patches, Windows tasks, logged-in users, bash history, and security products installed.

To perform a Quick Scan:

  1. Go to Hosts.

  2. Select one or more hosts (up to 100) at a time, and do one of the following:

  • Click Scan > Start Scan from the menu (Or)

  • Right-click and select Start Scan from the context menu

3. Click Start Scan on the pop-up. Quick scan is initiated for executable modules loaded in memory.

The following are the scan statuses:

Status Description
Idle No scan is in progress.
Scanning Scan is in progress.

Pending

Scan request is sent to the server, and the agent will receive the request the next time it communicates with the server.

Cancel Stop request is sent to the server, and the agent will receive the request the next time it communicates with the server.

Note: By default, the scan utilizes 25% of the CPU. You can click CPU Maximum and select a value from 5% to 100%. Increasing the CPU Maximum limit reduces the scan time but could lead to more CPU usage.

To perform a Full System Scan:

  1. Go to Hosts.

  2. Select one or more hosts (up to 100) at a time for an on-demand scan, and do one of the following:

    • Click Scan > Start Scan from the menu bar (Or)
    • Right-click and select Start Scan from the context menu

netwitness_12.1_fullscan_1122.png

  1. From the Start Scan pop-up, select Full System Scan (Only on advanced agents that are 11.6 or higher.)

  2. Select System Drive(Default selection) or All Fixed Drives

  3. Click Start Scan on the pop-up.

netwitness_fullscanpopup.png

Note: An Endpoint server supports up to 10k Full System Scans in a rollover period.

Standalone Scan on Air-gapped Windows Hosts

The Standalone scan feature allows administrators to run scans on the air-gapped Windows hosts that are disconnected from the network. Administrators can download the scan command once from UI and execute it on multiple hosts. For the best utilization of resources, we recommend running standalone scan every two weeks. Policies do not apply on air-gapped hosts, and features such as downloading MFT to the server, upgrading agents through UI, downloading a file to the server are not available for standalone agents.

The scan process involves two files:

  • Offline Scan Configuration - Contains the configuration information needed to run the scan.

  • Scan Results File – This contains the results of the Scan, which you can upload using the Scan > Upload Offline Scan File option on the Hosts view. This file will be imported and processed by NetWitness.

Standalone scan workflow:

netwitness_flowchart.png

Note: Both Download Offline Scan Configuration and Upload Offline Scan File options are available only on the Endpoint server view. These options can’t be accessed from Broker view.

Generate the scan configuration file

1. Click Scan > Download Offline Scan Configuration on the Hosts screen.

netwitness_12.1_scan_1122.png

On the Download Offline Scan Configuration pop-up,

2. (Optional) Select CPU Maximum.

3. Enter a Password. (not more than 31 characters long)

4. Click Download.

netwitness_scanpw.png

5. Transfer the Offline Scan Configuration file to the air-gapped host.

Install Endpoint Agent and Register for Standalone Scan

  1. Install the Endpoint Agent on the air-gapped host. Refer to Endpoint Agent Installation Guide for more information.

  2. Register the agent for standalone scan (required only when an agent is installed)

    • Open command prompt in administrator mode and execute the following command:

      ServiceName.exe /standalone

      Example: NweAgent.exe /standalone

Start a Standalone scan

1. Open the command prompt in Administrator mode, on the air-gapped host.

2. Execute the scan using the following command(syntax):

ServiceName.exe /scan /password ”<password>” /scanfile "<scan config. file>”

Example: NweAgent.exe /scan /password "Abc123$" /scanfile "C:\Users\johndoe\Downloads\2021-12-06-Full Scan Configuration.scanfile"

  • <password> is the password entered while generating the Offline Scan Configuration File.

  • <scan config file> is name of the scan configuration file with full path.

3. Wait until the scan is completed.

4. Transfer the scan result file(password protected .zip file) back to the machine to upload to the UI.

Upload the Standalone scan result file

1. Click Scan > Upload Offline Scan File on the Hosts screen.

netwitness_scanpwfill.png

2. Click netwitness_openicon.png and upload the scan result file.

3. Enter the same password that was entered while downloading the offline scan configuration file.

4. The Endpoint server will process the scan result file once successfully uploaded.

netwitness_12.1_fulscansuccess_1122.png

Note: Standalone agents can only be upgraded manually using the Endpoint agent packager. Refer to Generate an Endpoint Agent Packager on Endpoint Agent Installation Guide for more information.

Analyze Hosts Using the Risk Score

You can investigate a host by analyzing the risk contributors such as alerts and events to look for suspicious or malicious activity.

Based on the severity of the alert triggered by the host, you can analyze the host using the following options:

  • View Alert Details: This option allows you to analyze the host when Critical and High alerts are triggered. For more information, see Investigating a Process.

  • Analyze Process Tree: This option allows you to analyze the host when Medium alerts are triggered. For more information, see Investigating a Process.

To analyze the hosts (which trigger Critical or High alerts) using the risk score:

  1. Go to Hosts.

    The Hosts view is displayed.

  2. In the Server drop-down list, select the Endpoint server or Endpoint Broker server to view the hosts.

  3. Select the host and do any of the following.
    • Click a row to view the risk associated with the host in the Risk Details panel.
    • Click the hostname to investigate the host.

      The Alerts tab is displayed.

  4. In the Alerts > Severity panel, click the alert severity such as Critical or High.

    The list of distinct alerts is displayed along with the total number of events associated with the alert.

  5. Click an alert to view the associated events.

    netwitness_event_metadata_2204x816.png

    Note: For each alert, only the latest 1000 events are displayed.

  6. To view all the details associated with a specific event, click on an event. The Event Details panel is displayed with the summary and overview information associated with the event.

    netwitness_event_metadata_337x137.png

  7. You can also view the Event Metadata such as IP, Filename, File hash, and Category in the Event Details panel.

  8. Click the drop-down option besides the metadata value to view additional information about the specific metadata. The Context Highlights dialog displays a list of the data sources that have context data available for meta value. These are the possible data sources: NetWitness Endpoint, Incidents, Alerts, Hosts, Files, and Feeds.

    netwitness_context_highlights_event_metadata_717x336.png

  9. To investigate the original event and destination domain of the event, do any of the following:

    • To investigate the events in a specific time frame, click Investigate Timeline on the Event Details panel. For more information, see the NetWitness Investigate User Guide.

    • To investigate a particular process, click View Alert Details on the Event Details panel. For more information on process analysis, see Investigating a Process.

To analyze the hosts (which trigger Medium alerts) using the risk score:

  1. Go to Hosts.

    The Hosts view is displayed.

  2. In the Server drop-down list, select the Endpoint server or Endpoint Broker server to view the hosts.

  3. Select the host and do any of the following.
    • Click a row to view the risk associated with the host in the Risk Details panel.
    • Click the hostname to investigate the host.

      The Alerts tab is displayed.

  4. In the Alerts > Severity panel, click the Medium alert severity.

    The list of distinct alerts is displayed along with the total number of events associated with the alert.

  5. Click an alert to view the associated events.

    Note: For each alert, only the latest 1000 events are displayed.

  6. To view all the details associated with a specific event, click on an event. The Event Details panel is displayed with the summary and overview information associated with the event.

    netwitness_medium_alerts_analyze_process_tree_option_1647x591.png

  7. You can also view the Event Metadata such as IP, Filename, File hash, and Category in the Event Details panel.

  8. Click the drop-down option besides the metadata value to view additional information about the specific metadata. The Context Highlights dialog displays a list of the data sources that have context data available for meta value. These are the possible data sources: NetWitness Endpoint, Incidents, Alerts, Hosts, Files, and Feeds.

    netwitness_context_highlights_event_metadata_731x343.png

  9. To investigate the original event and destination domain of the event, do any of the following:

    • To investigate the events in a specific time frame, click Investigate Timeline on the Event Details panel. For more information, see the NetWitness Investigate User Guide.

    • To investigate a particular process, click Analyze Process Tree on the Event Details panel. For more information on process analysis, see Investigating a Process.

      netwitness_medium_alerts_analyze_process_tree_2163x776.png

Analyze Host Details

To look for suspicious files on a host, click the host name and view the details of the host, or start an on-demand scan to get the most recent information. On the right-hand panel, you can view the following:

  • Host Details displays the host information, such as Network interface, operating system, hardware and others.

  • Policy Details displays the complete resolved policy settings.

For more details, see Hosts View - Details Tab.

netwitness_host_details_policy_details_hosts_view_endpoint_1020x452.png

Filter Host Details

In the Processes, Autoruns, Files, Drivers, Libraries, and Anomalies tabs, you can filter the processes or files on file status, reputation, file or process name, signature, and risk score. Click Save to save the filter and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click netwitness_deleteicon_15x15.png.

In the Host view > Files tab, you can filter the files available on host, and files deleted from host. The result of files deleted from host depends on the data retention policy configured in the Endpoint Config view > Data Retention Scheduler tab. By default, data retention policy is configured for 30 days, this means only 30 days of deleted files are stored in the Endpoint server. These filter options are disabled if All Files Available on Host toggle is disabled.

In the Host view > History tab, you can filter the commands on command type, status, host name, request type, command parameter and command time. In the Command Time field, you can filter by custom date range.

Click Save to save the filter and provide a name (up to 250 alphanumeric characters).The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click netwitness_deleteicon_15x15.png.

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

Search Files on Host

To investigate a host or to check if it is infected with a known malware, you can search for occurrences of the file name, file path, or SHA-256 checksum.

Note: To search for a SHA-256 checksum, provide the entire hash string in the search box.

The result displays the matching files present on the host in All Files Available on Host category and in the respective snapshot category with the details, such as file name, signature information,and checksum. In addition, the snapshot category displays the system interaction, for example, ran as process, library, autorun, service, task, or driver. To view more details, click the filename or system interaction link.

Example, a user has clicked and executed a malicious attachment through a phishing email, and downloaded it to C:\Users. To investigate this file:

  1. Go to Hosts.

  2. Select the host that you want to investigate or select the Endpoint Broker server to investigate all the hosts.

  3. In the Alerts tab, enter the file path C:\Users in the search box.

    The search displays a maximum of 100 results of the executables in this folder. In this example, there are some unsigned file that might be malicious. If the search is executed on an Endpoint Broker server, it queries all the Endpoint servers.

    netwitness_c_users_alerts_tab_315x602.png

    This file is run as a Process.

  4. To view details of this file, click Process in the result.

    This opens the Process tab where you can view the process details.

Analyze Processes

To analyze the process:

  1. In the Hosts details, select the Processes tab.

    netwitness_12.1_proctab_1122_1095x514.png

    To view the process tree, click the toggle switch. The following is an example of the tree view:

    netwitness_12.1_prctree_1122_1054x495.png

  2. In the Processes Tab, do one of the following:

    • Click a row to view the properties of a process in the right panel.

      netwitness_12.1_procdetails_1122_960x472.png

    • Click the process name to view the process details of a specific process.

      netwitness_12.1_procdetails1_1122_642x350.png

When reviewing processes, it is important to see the launch arguments. Even legitimate files can be used for malicious purposes, so it is important to view all of them to determine if there is any malicious activity.

For example,

  • rundll32.exe is a legitimate Windows executable that is categorized as a good file. However, an adversary may use this executable to load a malicious DLL. Therefore, when viewing processes, you must view the arguments of the rundll32.exe file.
  • LSASS.EXE is a child to WININIT.EXE. It should not have child processes. Often malware use this executable to dump passwords or mimic to hide on a system (lass.exe, lssass.exe, lsasss.exe, and so on).

  • Most legitimate user applications like Adobe and Web browsers do not spawn child processes like cmd.exe. If you encounter this, investigate the processes.

You can view the sequence of activities performed on the host by the file or process using the process analysis. For more information, see Investigating a Process.

Analyze Autoruns

In the Hosts details, select the Autoruns tab. You can view the autoruns, services, tasks, and cron jobs that are running for the selected host.

For example, in the Services tab, you can look for the file creation time. The compile time is found within each portable executable (PE) file in the PE header. The time stamp is rarely tampered with, even though an adversary can easily change it before deploying to a victim's endpoint. This time stamp can indicate if a new file is introduced. You can compare the time stamp of the file against the created time on the system to find the difference. If a file was compiled a few days ago, but the time stamp of this file on the system shows that it was created a few years ago, it indicates that the file is tampered.

Analyze Files

To analyze the files, you can do either one of the following based on your requirement.

  • In the Hosts view, select the Files tab.
    You can view the list of all files (reported as part of scan and tracking) on the host including the deleted files.
    netwitness_hosts_files_tab_1978x795.png
  • To view the files reported as part of scan snapshot, you must disable All Files Available On Host toggle and select the scan time from the Snapshot drop-down list.

Example for analyze files, many trojans write random filenames when dropping their payloads to prevent an easy search across the endpoints in the network based on the filename. If a file is named svch0st.exe, scvhost.exe, or svchosts.exe, it indicates that the legitimate Windows file named svchost.exe is being mimicked.

Analyze Libraries

In the Hosts details, select the Libraries tab. You can view the list of libraries loaded at the time of scan.

For example, a file with high entropy gets flagged as packed. A packed file means that it is compressed to reduce its size (or to obfuscate malicious strings and configuration information).

Analyze Drivers

In the Hosts details, select the Drivers tab. You can view the list of drivers running on the host at the time of scan.

For example, using this panel, you can check if the file is signed or unsigned. A file that is signed by a trusted vendor such as Microsoft and Apple, with the term valid, indicates that it is a good file.

Analyze Anomalies

Note: This tab is available only for advanced agent.

In the Hosts details, select the Anomalies tab. You can view the following details for the selected host:

  • Image hooks - Hooks found in executable images (user-mode or kernel-mode) - IAT, EAT, Inline, exceptionHandler.
  • Kernel hooks - Hooks found on kernel objects (such as Driver Object [Pointers, IRP_MJ, SSDT, IDT, and so on]). This also includes filter devices.
  • Suspicious threads - Threads whose starting address points to memory DLLs or floating code. The threads could be running with either user-mode or kernel-mode privileges. These threads could run malicious code inside a trusted application to execute their own code.
  • Registry discrepancies - The Windows registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components and for applications running on the platform: the kernel, device drivers, services, SAM, user interface, and third party applications all use the registry. The discrepancies between low-level parsing with Win32 registry API are reported.

Note: Anomalies is applicable only for Windows hosts.

For example, hooking is used to intercept calls in a running application and to capture information related to the API invocations. Malicious programs can implant hooks in various system applications for different purposes, such as hiding files, directories, registry entries, intercepting users keystrokes to establish a stealthy communication channel with the attacker.

Analyze System Information

In the Hosts details, select the System Information tab. This panel lists the agent system information. For Windows operating system, the panel displays the host file entries and network shares of that host.

For example, malware might use host file entries to block antivirus updates.

Analyze History

In the Host details, select the History tab. This tab lists the commands along with the respective status and additional details.

When you review the history, look for the command status and retrieval count to check if the agent retrieved the commands.

Below are some examples:

  • A file download command is issued, but the file is deleted on the host. In this case status of the command is failed as the file is not downloaded.
  • The retrieval count increases, but the command is not processed. This happens when an analyst requests a large number of files (For example, MFT, system dump, or process dump), and the connection breaks when the agent uploads these files.
  • If the agent command is not retrieved, the agent is either offline or busy processing other commands (For example, uploading a system dump). In this case, the status of the command shows pending.

To view more details, click the Hostname link highlighted in blue. The Hosts details view is displayed.
In the case of MFT, download file, system dump, and process dump command types, Downloads tab is displayed with details such as file name, type, status, size, downloaded time and SHA256 of the file, when you click on the Hostname link.

Export Host Details or Files to JSON File

Note: Export Host details option is disabled if there is no snapshot time.

To export host details or files to JSON file:

  1. Go to Hosts.
  2. Select the hostname to open the host details.
  3. Click netwitness_moreicon.png (More) beside the hostname and do any of the following:
    • To export the scan data categories for the host, select Export Host Details. This exports files such as:
      • allfiles.json - This file consists of the file name, file path, signature, file checksum, and so on that is reported as part of scan and tracking.
      • fileContext.json - This file consists of the file name, file path, signature, file checksum, and so on that is reported during the host scan.
      • machinedetails.json - This file consists of the machine details, including hardware, operating system, interfaces, and so on, along with the agent details like version, policy details.

    Note: If Endpoint Broker is selected and a host is communicated with multiple Endpoint servers, during the host details export, all files and details of the host are exported from the Endpoint server where the selected snapshot is stored.

    Note: allfiles.json file is exported irrespective of the selected snapshot.

    • To export all the files available on the host, select Export Files. This exports:
      • allfiles.json - This file consists of the file name, file path, signature, file checksum, and so on that is reported as part of scan and tracking.

Launch an External Lookup for a File

While analyzing a file, you can search Google or VirusTotal with the filename or hash to get more information about the file. To launch the search:

  1. Go to Hosts > Host Details (Autorun, Files, Drivers, Libraries, or Anomalies tab).

  2. Right-click one or more files, or in the More Actions drop-down list in the toolbar, do the following:

    netwitness_external_lookup_hosts_files_endpoint_599x452.png

    • Select Google Lookup to perform a search on the filename, MD5, SHA1, or SHA256.
    • Select VirusTotal Lookup to perform a search on MD5, SHA1, or SHA256.

    Note: To open files in multiple tabs, make sure you enable the pops-up in the browser.

Delete a Host

If the agent is uninstalled on a host or if you no longer require the host scan data, you can manually delete this host from the Hosts view. Deleting a host deletes all scan data associated with the host. To delete hosts:

  1. Go to Hosts.

  2. Select the hosts that you want to delete from the Hosts view and do one of the following:

    netwitness_12.1_delhosts_1122_486x278.png

    • Right-click and select Delete from the context menu.
    • Click More drop-down list in the toolbar and select Delete.

Note: If you accidentally delete a host from the Hosts view, the Endpoint Server forbids all requests from this agent. The agent must be uninstalled manually from the host and reinstalled for it to appear on the Hosts view.

Deleting Hosts with Older Agent Versions

After upgrading the 11.1.x and 11.2.x agents to 11.3 or later, if you want to delete the hosts with older versions:

  1. Go to Hosts view.

  2. Filter the hosts based on the Agent version, and delete these hosts.

    If you do not delete, the hosts are deleted based on the Data Retention Policy settings.

Set Hosts Preference

By default, the Hosts view displays a few columns and the hosts are sorted based on the risk score. If you want to view specific columns and sort data on a specific field:

  1. Go to Hosts.

  2. Select the columns by clicking netwitness_colchooser.png in the right-hand corner. The following example shows the drop-down list displayed while adding columns:

    netwitness_colsel.png

  3. Scroll down or enter the keyword to search for the column in the displayed list.

  4. Sort the data on the required column.

    Note: The selections you make here become your default view every time you log in to the Hosts view.

Export Host Attributes

You can export up to 100,000 host attributes at a time. To extract the host attributes to a csv file:

  1. Go to Hosts.

  2. Filter the hosts by selecting the required filter options.

  3. Add columns by clicking netwitness_colchooser.png in the right-hand corner.

  4. Click netwitness_exportcsv.png to export the host attributes to a csv file.

    netwitness_12.1_exportcsvhosts_1122_839x245.png

You can either save or open the csv file.

Migrate Hosts

Hosts can be migrated from one Endpoint server to another using groups and policy associated with the host. If a host is migrated, the Server column shows as Migrated. On all the tabs within the Hosts view, the message Host is migrated to <Server-name> is displayed. You view the host details by clicking the <Server-name>. The risk score of a migrated host is displayed on all Endpoint servers where it is present.

Note: Some of the actions are disabled for the migrated host on the selected server, such as start scan, start stop, analyze events, and others. If you want to perform the required action, select the Endpoint server to which the host is migrated.

Note: To view only managed hosts, select the Show Only Managed Agents option in the Filters panel.

Analyzing Risky Users

If you have NetWitness UEBA installed, you can view the alerts associated with users logged in on the host. To analyze risky users:

  1. Go to Hosts.

  2. Click the host name you want to analyze.

  3. In the Host Details panel, under the Users category, click the name.

    This opens the Entities tab for investigation in a new tab.

    netwitness_host_details_users_629x221.png

Resetting Risk Score of Hosts

You can reset the risk score for a host in these situations:

  • If the alerts or events triggered by the host or files on the host are false positive, you can make changes to the Endpoint Application rules or ESA rules.
  • After you take required action on the host for malicious file activities contributing to the risk score. When you reset the risk score, all the risk calculation for the host is deleted. When you reset the host's risk score, it does not change the file's risk score. You can reset the score for a single host or multiple hosts.

To reset the risk score of the selected host:

  1. Go to Hosts.

  2. Select the Endpoint Server or Endpoint Broker.

  3. Select one or more hosts and do one of the following:

    netwitness_12.1_reset_risk_score_for_selected_host_1122_754x276.png

    • Right-click and select Reset Risk Score For Selected Host from the context menu.
    • Click More Actions > Reset Risk Score For Selected Host in the toolbar.

    All the alerts associated with the score are deleted.

  1. Refresh the page to view and confirm if the host's score is reset. This may take sometime for changes to take effect.

To reset the risk score of all the available hosts simultaneously:

  1. Go to Hosts.

  2. Click More Actions > Reset Risk Score For All Hosts in the toolbar.

    netwitness_reset_risk_score_for_all_hosts_406x254.png

    All the alerts associated with the score are deleted.