Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Analyzing Nessus Detected Malicious Processes Activity with the Log Correlation Engine

The data from Nessus malicious process checks can be immediately leveraged by SIEM and log search tools. In this blog post we will consider a very basic example of how a computer infected with the GameVance adware can be analyzed with the Log Correlation Engine (LCE).

Nessus performs checks on Windows computers for malicious and unwanted running processes. Plugins 59275 and 59641 leverage Windows credentialed auditing to enumerate all running processes and cross reference their checksums against an industry index of virus scanners.

Intelligent log analysis tools, such as the Log Correlation Engine, provide multiple methods to monitor logs from Windows hosts. The LCE can monitor windows systems with an agent, with a remote WMI event log monitor, and can also analyze real-time logs from the Passive Vulnerability Scanner (PVS) which includes logs of network file downloads, DNS queries, and web browsing history.

When system logs are aggregated in real-time along with Nessus malware testing, suspicious results can be investigated immediately.

To illustrate this, we configured a lab and infected a target Windows 7 computer with the relatively benign GameVance adware. The lab leveraged a SecurityCenter, a Nessus scanner, a Log Correlation Engine, and a Passive Vulnerability Scanner.

The SecurityCenter was configured with a variety of real-time alerts, including one for plugin 59641 which identifies unwanted processes as shown in the screen shot below:

1 - alert

The actual Nessus result for plugin 59641 is shown below:

2 - sep30

SecurityCenter tracks that this particular plugins was active on our target at 192.168.1.11 since August and was seen recently. It also identifies the actual DLL infected and associated process IDs with the software in question.

Switching to our Log Correlation Engine event view, I searched for logs from the system’s known IP address and the process ID of 2548 and obtained the following search results:

3 - still running

These are Windows event logs that log network connections through the local filtering system. A different Windows computer with a lighter auditing policy may not generate similar logs, but in this case, it is very useful to be able to investigate the actual process ID and see what was occurring.

The process that was running was Internet Explorer. The DDL in question was adware attached to the browser. When we set this lab up, I had installed some software which also silently installed the GameVance adware and I left Internet Explorer running. Having a process like this run consistently for multiple days is similar to what some types of simplistic malware does. Within the LCE, looking for the activity associated with this process ID created several traces in local Windows event logs:

4 - history

Additionally, it’s worth noting that the LCE summarize all executed processes each day for a quick look:

4a-mor history

Obviously, more advanced malware can hide from the process tree, edit, or delete logs and even attack SIEM and log collection agents. Most malware does not do this though. When investigating malware identified with Nessus, since it’s based on looking into the running process tree, it is likely that there will also be logs and Window events associated with it.

It is also worth noting that the real-time network logs from the Passive Vulnerability Scanner could be used to analyze which files and network interactions resulted in the infection. Below is a screen shot from August (two months ago) which showed the actual .exe downloads I had done to install some shareware software that resulted in the GameVance infection:

6 network traffic

Conclusions

If you have a positive malware or unwanted program detection with Nessus, monitoring what the process is doing can be accomplished with system log analysis and network traffic. Your response to a Nessus malware infection or even a Nessus botnet detection should really be no different if your anti-virus system or intrusion detection found something suspicious.

For more information on how Tenable solutions can be used to identify malware and botnets, please consider these following blog entries, dashboards and YouTube videos:

Fore more detailed examples and discussions of Tenable product capabilities, please join the conversations at the Tenable Discussion Forums or follow us on Twitter @tenablesecurity.

 

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.