Schedule forensic jobs

InsightIDR provides you the ability to search for and document specific malicious behavior using scheduled forensic jobs. Scheduling forensic jobs allows you to search selected assets using forensic jobs to detect suspicious behavior. The forensics scan schedule can be set for daily, weekly, monthly, or on a custom time range.

Forensic jobs allow you to narrow down your focus on specific items, such as firewalls and DNS servers. Forensic jobs are used to further contextualize investigations. These jobs pull forensics information such as running processes, registry keys, installed services, and others to give you a highly detailed understanding of what is occurring on the assets in question.

To schedule a forensic job:

  1. Navigate to Investigations from the left menu of InsightIDR.
  2. Click the Schedule Forensics link.

You will see a table of all past and running forensic jobs. You can click the columns to sort them in a specific way.

  1. Click the New Scheduled Forensics button.
  2. On the New Scheduled Forensics screen, enter the name of the forensic job in the Forensics Name field.
  3. Enter the assets to include. A list displays after you type in a few characters in the Assets field.
    • Optionally, select Add Asset Group and configure those separate details.
  1. From the Frequency dropdown menu, select how frequently you want the forensic job to run.
  2. In the Schedule Time field, enter the time that you want the forensic job to run, using HH:MM:SS format.
  3. Select a job from the Job dropdown menu.
  1. Select the job parameters that you want to use in the forensic job.
  2. Click the Schedule button.

The scheduled forensic job returns results based on the parameters you selected.

Manage forensic jobs

From the Scheduled Forensics table, you can resume, stop, edit, or delete a forensic job:

  • Click the Stop icon to stop a forensic job, and the Resume icon to resume the job.
  • Click the Pencil icon to edit a forensic job
  • Click the Trash icon to delete a forensic job.

Understand the types of forensic jobs

You can select from a number of jobs when scheduling forensics:

ARP Cache
This job does not accept parameters.
Current Process
This job retrieves the processes currently running on the selected asset. It retrieves PID priority, user info, directory handles, token handles, process handles, thread handles, event handles, mutant handles, semaphore handles, window station handles, desktop handles, file handles, section handles, key handles, ALPC handles, all handles, modules, signature check, TCP over IPV4, TCP over IPV6, UDP over IPV4, and UDP over IPV6.

User info

This parameter displays who the owner of the process is and additional account information.

A handle is a descriptor that a process opens to modify or access a resource; it is a reference to that resource. For example, if the process opens a registry key, it has a key handle to it. In addition, it could also correspond to several other opened kernel objects by processes like mutants, semaphores and threads.

Modules

A module, in this case, is a dynamic library the process has loaded or the name of the executable.

Mutant

A mutant is another name for a Mutex, formally known as a mutual exclusion. It ensures that two threads cannot access a shared resource at the same time. Typically, malware creates named mutexes that we can look for to show commonality between malware families.

Semaphore

A semaphore ensures that only so many threads can access a given resource at once. To use a restaurant analogy, only 50 people are allowed in the restaurant at a time; after that, no one may enter until someone else leaves. In other words, a maximum of 50 people are allowed in at any time.

Section

A section is a chunk of memory that can be shared with other processes or mapped to a file.

Advanced Local Procedure Call (ALPC)

Processes can have Advanced Local Procedure Call (ALPC) ports to communicate to various subsystems or processes. You can think of this as a local Remote Procedure Call (RPC) mechanism.

When choosing this forensic job:

  1. Enter the process ID (PID) in the "PID" field.
  2. Enter the parent PID in the "Parent PID" field.
  3. Check the appropriate parameters.
  4. Click the Save Scheduled Forensics button.
Installed Service
This job retrieves information about installed services. The job parameters are signature check, allow INET SIG, and security info.

Signature check

If a binary/DLL is signed, InsightIDR will make sure that it is a valid signature. For Windows, if provided DLLs and exes are signed by Microsoft, the output reflects this.

Allow INET SIG

This job enables or disables the use of using the network to verify signatures. If this job is disabled, InsightIDR only uses the local cache for revocation checking.

Security Info

This is a technical flag geared for the AR/IR folks. It enables InsightIDR to see all access and owner info for a given service.

Directory Entry

This job retrieves information about specified directories. There are four parameters: path, directory depth, maximum filed size, and minimum field size.

To select this job, complete the following steps:

  1. Enter the directory path in the "Path" field. Enter -1 to search all directories.
  2. Enter the directory depth in the "Directory depth" field. Enter -1 to search all directories.
  3. Enter the maximum file size (in megabytes) in the "Maximum File Size (MB)" field.
  4. Enter the minimum file size (in megabytes) in the "Minimum File Size (MB)" field.
  5. Check the Calculate MD5 Hashes checkbox if you need to calculate MD5 hashes.
  6. Check the Calculate SHA-1 Hashes checkbox if you need to calculate SHA-1 hashes.
  7. Click the Save Scheduled Hunt button to save the changes made.
DNS Cache
This job returns local DNS cache and LOCAL A/CNAME record resolution if a resolver service is running.

This job never makes any outbound requests to resolve entries and is hardcoded. This job does not accept parameters.

Network Connection

This job returns network connection information about the protocol and family version. The job parameters are all network info, TCP over IPV4, TCP over IPV6, UDP over IPV4, and UDP over IPV6.

Registry Key

This job parses specified registry hives for keys. When the agent is installed as a system service, HKEY_CURRENT_USER (HKCU) reflects this. If a user wants to look at a user specific key within the user’s hive, they need to root their queries from HKU/<user-sid> and not HKCU. The reason for this is HKCU is simply a pointer, in other words a symlink, to who is accessing the registry and in our case, the agent, as system. This means HKCU is actually pointing to HKU/<system-sid> and not the user who is logged in. This job also supports regex within key paths so users don’t need to know the exact key path names.

The parameters for this job are registry keys, search HKEY_CLASSES_ROOT, search HKEY_CURRENT_USER, search HKEY_LOCAL_MACHINE, search HKEY_LOCAL_MACHINE, search HKEY_USERS, search HKEY_CURRENT_CONFIG, recursive depth, and persistent.

To select this job, complete the following steps:

  1. Enter the registry key(s) in the "Registry Keys" field.
  2. Check the appropriate Search HKEY parameter check boxes.
  3. Enter the recursion depth in the "Recursion Depth" field. Enter -1 to search all.
    • For example, the Registry keys format would be: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
  4. If needed, check the Persistent check box.
Scheduled Task
This job retrieves all scheduled tasks on an asset. This job does not accept parameters.
User Session
This job enumerates all of the system sessions on an asset. The job parameters are active connections and remote connections.

For Windows Vista - Windows Server 2008 (and greater), users see only services in session 0, then users will show up in subsequent sessions. This is normal behavior and something Microsoft implemented as a security fix called “session 0 isolation."