Investigating a Process

Note: The information in this topic applies to NetWitness Version 11.3 and later.

Analysts can perform process analysis to investigate a particular process behavior to:

  • Understand the entire process event chain, process parent-child relationships, and all associated events in a timeline view.
  • Analyze important process attributes, such as username, launch arguments, reputation, file status, signer, signature, risk score, and file path.

The Analyze Process view provides a list of processes captured on hosts in a parent-child hierarchical format over a time range. The process tree is created from the tracking event type "Process event" where the action meta key is createProcess. The agent reports new events for the same createProcess if the following parameters change:

  • Parent process filename
  • Child process filename
  • Launch arguments
  • User name

If the above parameters do not change, the event is reported only once every eight hours.

Best Practices

When reviewing a host for malicious activity, there are a few key things to review while looking for malicious processes.

  • Process Name - When reviewing running processes on a host, check for the name of the program that looks suspicious. Sometimes malware uses random names, such as wzuduje.exe. In some cases, the names might be misleading such as adob3.exe, scvhost.exe, or Microsoft.exe. Being familiar with Windows processes and any type of internal tool that might be used throughout the environment, also helps you to identify potentially malicious or suspicious files.

  • File Path - Similar to knowing normal and key Windows processes, knowing what path the processes originate from is a key to detect certain processes that imitate the legitimate process. For instance, if you see svchost.exe running on a system from C:\Users\<username>\AppData\Roaming\adobe\ (which is a valid file path), and knowing that the legitimate Windows process originates from C:\Windows\System32\, you can determine that the svchost.exe file starting from the C:\Users\<username>\AppData\Roaming\adobe\ directory is the suspicious one. To help determine further identification of a suspicious process, review the Autoruns tab to see if this process is running as an autorun, service, or task.

  • File Signature - When a software package is created, it has a valid digital signature. The following are a few exceptions:

    • If a process that is running is not digitally signed, it does not automatically confirm that the file is malicious.
    • While files may have a valid signature, it does not mean that they are legitimate. There are instances of software identified as a Potentially Unwanted Program (PUP) or Adware, which can have a valid signing certificate.
  • On Hosts - Indicates the number of hosts on which a file exist. If a file is present on fewer hosts with a high risk score, it may be malicious and needs further investigation.

  • Reputation - Leveraging the reputation service is a way to find malicious processes.

  • Analyze events - For further insight to a process, you can analyze console events, network events, file events, process events, and registry events.

    • Network events - Look for any suspicious domains to which the process is connecting. Sometimes malware creates legitimate connections to a known site, such as google.com, bing.com to hide its activity on the network. Look for connections to Dynamic DNS domains where a lot of known malicious activity resides. During analysis, consider uncommon processes making direct connections to an IP address or to a uncommon port number.
    • File and process events - Review process interactions that have occurred on the system with the suspected file. You can look for key events such as writeToExecutable, renameExecutable, and createRemoteThread, which indicate suspicious behavior.
  • Leverage other methods

    • Look up with Google - You can search the file name or hash value against Google to determine if the file is malicious.
    • Look up with VirusTotal – You can search the hash value against the VirusTotal to determine if the file is malicious between multiple AV vendors.
    • Download file – Download and analyze a file to find indicators such as compile time, imported DLLs, section names, and performing string searches. Look for TLD values (.com, .net, .biz) or debug information of a compiled binary (.pdb), which can be easily changed or forged.

    • Time stamp values – Review modified, accessed, and created dates associated with the binary. Review how long a file has been residing on a host. While this value is correct most of the time, attackers can change the time stamp values of a file.

Analyze a Process

Based on the Alert severity, you can analyze the processes using two different options:

  • View Alert Details: This option allows you to analyze the processes associated with Critical and High Alerts.

  • Analyze Process Tree: This option allows you to analyze the processes associated with Medium Alerts.

To analyze the process associated with Critical and High Alerts:

  1. Go to Hosts and click on a host.

  2. Click on an event associated with the Critical or High alert on the Host Details view. The Event Details panel appears.

  3. Click View Alert Details to analyze the process activities of a file associated with the Critical or High Alerts.

    netwitness_view_alert_details_hosts_endpoint_1697x893.png

    The Process Tree Viewer is displayed in the Respond service.

  4. Select the process in the Process Tree Viewer and click File Actions in the Details panel to perform the following actions:

    • Google Lookup

    • VirusTotal Lookup

    • Change File Status

    • Download File to Server

    • Analyze File

    • Save a Local Copy

    • Reset Risk Score

      respond_process_tree_viewer_endpoint_1365x661.png

To analyze the process associated with Medium Alerts:

  1. Go to Hosts and click on a host.

  2. Click on an event associated with the Medium alert on the Host Details view. The Event Details panel appears.

  3. To analyze the process activities of a file associated with the Medium Alerts, do one of the following:

    • In the Event Details panel, click Analyze Process Tree.

    • Select the Processes tab and do one of the following:

      - Right-click a process and select Analyze Process from the context menu.

      - Click Analyze Process in the toolbar.

    In the following example, the file cmd.exe has created process net.exe.

    netwitness_medium_alerts_analyze_process_tree_2163x776.png

    Clicking Analyze Process displays the process visualization. For each node, the process name, risk score, and type of activity the selected process has performed (network netwitness_network_20x20.png, file netwitness_fileicon_17x20.png, or registry netwitness_registry_21x18.png) are displayed. Optionally, you can change the time range to view data.

    You can view the properties, such as process execution details, file properties of the selected process in the bottom of the view.

    netwitness_prcanalysis.png

    Note: No result is displayed in the process visualization view if there is no data for last seven days or if there is no createprocess event.

  4. On the right side of the process visualization view:
    • Click Events List to view the associated events. You can also filter events based on the events category. For more information on filtering, see Analyze Events for a Process.
    • Click Hosts to view the hosts on which this file is present and the associated risk score. For more information, Analyze Hosts with File Activity.
    • Click Risk Details to view the list of distinct alerts, such as Critical, High, Medium, and All. For more information, see Analyze Hosts Using the Risk Score.
  5. Hover over the process name to analyze important process attributes, such as username, launch arguments, reputation, file status, signer, signature, and file path.

    netwitness_hoverpa.png

  6. Click netwitness_sltprc.png to view the child processes. The Process selection dialog is displayed with the child processes associated with the process based on the risk score. You can filter the result on the event type by clicking icons on the top panel. When no matching event types are available, these filter options are disabled.

    Depending on the type of event, the icons are highlights in the Event Types column.

    1. Click View All to view all child processes or select the required processes and click View selected. The associated events and properties are displayed in the right panel.
    2. Click netwitness_reselect.png to change the process selection and click netwitness_collapseprc.png to collapse the view.

      netwitness_selectprc.png

Analyze Events for a Process

To analyze events for the selected process:

  1. Perform steps 1 to 3 in To analyze the process associated with Medium Alerts:.

  2. In the process visualization, click the Events tab.

  3. To narrow down the search to find any suspicious indicators, behaviors, or specific type of event, filter on a set of matched events based on a category - Process, File, Registry, Network Event, or Console Event (for Windows).

    For example, to view only process events, select the Process Event category, and filter on action.

    netwitness_eventfilter1.png

The result displays the sequence of activities involving this process for the selected filters.

Note: For the console events, the context for local and remote are available only if the data is sent from 11.4 or later agents.

Note: At any given time, if the number of process events created from a single source VPID in Linux exceeds the count of 100, only the first 100 events are displayed in the Process Visualization > Events view for a time interval of 8 hours. Only after the time interval of 8 hours, the new set of events created from the same source VPID (maximum 100 process events) will be displayed along with the existing set of events.

For Example: At 12PM IST, if 1000 process events are created from a single source VPID, only the first 100 events are displayed in the Process Visualization > Events view until 8PM IST. After 8PM IST on the same day, the new set of 100 events created after 8PM IST from the same source VPID will be displayed along with the existing set of events.