Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Analyzing Nessus Detected Malicious Processes Activity with the Log Correlation Engine

The data from Nessus malicious process checks can be immediately leveraged by SIEM and log search tools. In this blog post we will consider a very basic example of how a computer infected with the GameVance adware can be analyzed with the Log Correlation Engine (LCE).

Nessus performs checks on Windows computers for malicious and unwanted running processes. Plugins 59275 and 59641 leverage Windows credentialed auditing to enumerate all running processes and cross reference their checksums against an industry index of virus scanners.

Intelligent log analysis tools, such as the Log Correlation Engine, provide multiple methods to monitor logs from Windows hosts. The LCE can monitor windows systems with an agent, with a remote WMI event log monitor, and can also analyze real-time logs from the Passive Vulnerability Scanner (PVS) which includes logs of network file downloads, DNS queries, and web browsing history.

When system logs are aggregated in real-time along with Nessus malware testing, suspicious results can be investigated immediately.

To illustrate this, we configured a lab and infected a target Windows 7 computer with the relatively benign GameVance adware. The lab leveraged a SecurityCenter, a Nessus scanner, a Log Correlation Engine, and a Passive Vulnerability Scanner.

The SecurityCenter was configured with a variety of real-time alerts, including one for plugin 59641 which identifies unwanted processes as shown in the screen shot below:

1 - alert

The actual Nessus result for plugin 59641 is shown below:

2 - sep30

SecurityCenter tracks that this particular plugins was active on our target at 192.168.1.11 since August and was seen recently. It also identifies the actual DLL infected and associated process IDs with the software in question.

Switching to our Log Correlation Engine event view, I searched for logs from the system’s known IP address and the process ID of 2548 and obtained the following search results:

3 - still running

These are Windows event logs that log network connections through the local filtering system. A different Windows computer with a lighter auditing policy may not generate similar logs, but in this case, it is very useful to be able to investigate the actual process ID and see what was occurring.

The process that was running was Internet Explorer. The DDL in question was adware attached to the browser. When we set this lab up, I had installed some software which also silently installed the GameVance adware and I left Internet Explorer running. Having a process like this run consistently for multiple days is similar to what some types of simplistic malware does. Within the LCE, looking for the activity associated with this process ID created several traces in local Windows event logs:

4 - history

Additionally, it’s worth noting that the LCE summarize all executed processes each day for a quick look:

4a-mor history

Obviously, more advanced malware can hide from the process tree, edit, or delete logs and even attack SIEM and log collection agents. Most malware does not do this though. When investigating malware identified with Nessus, since it’s based on looking into the running process tree, it is likely that there will also be logs and Window events associated with it.

It is also worth noting that the real-time network logs from the Passive Vulnerability Scanner could be used to analyze which files and network interactions resulted in the infection. Below is a screen shot from August (two months ago) which showed the actual .exe downloads I had done to install some shareware software that resulted in the GameVance infection:

6 network traffic

Conclusions

If you have a positive malware or unwanted program detection with Nessus, monitoring what the process is doing can be accomplished with system log analysis and network traffic. Your response to a Nessus malware infection or even a Nessus botnet detection should really be no different if your anti-virus system or intrusion detection found something suspicious.

For more information on how Tenable solutions can be used to identify malware and botnets, please consider these following blog entries, dashboards and YouTube videos:

Fore more detailed examples and discussions of Tenable product capabilities, please join the conversations at the Tenable Discussion Forums or follow us on Twitter @tenablesecurity.

 

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training