Scheduled Forensics

InsightIDR provides you the ability to search for and document specific malicious behavior using scheduled forensic jobs. Scheduling forensic jobs allows you to search selected assets using forensic jobs to detect suspicious behavior. The forensics scan schedule can be set for daily, weekly, monthly, or on a custom time range.

Forensic jobs allow you to narrow down your focus on specific items, such as firewalls and DNS servers. Forensics jobs are used to further contextualize investigations. These jobs pull forensics information such as running processes, registry keys, installed services, and others to give you a highly detailed understanding of what is occurring on the asset(s) in question.

Schedule a Forensic Job

To schedule a forensic job:

  1. Click Investigations from the lefthand menu.
  2. From the "Investigations" page, click the Schedule Forensics link.

You will see a table of all past and running Forensics. You can click the columns to sort them in a specific way.

  1. Select the **New Scheduled Forensics ** button. When the "New Scheduled Forensics" screen appears, enter the name of the Forensics in the "Forensics Name" field.
  2. Enter the asset(s) to include. A list displays after you type in a few characters in the "Assets" field.
    • Optionally select Add Asset Group and configure those separate details.
  1. Select the frequency you want to schedule the Forensics from the "Frequency" dropdown menu.
  2. Enter the time you want to run the Forensics in the "Schedule Time" field. Use the HH:MM:SS format.
  3. Select a job from the "Job" dropdown menu.
  1. Select the job parameters that you want to use in the Forensics.
  2. Click the Schedule button.

The Scheduled Forensics returns results based on the parameters you selected. The following screen capture displays the results from a Scheduled Forensics.

Manage Forensics

From the Scheduled Forensics table, you can resume, stop, edit, or delete a Forensics job.

When you click the Pencil icon to edit a forensics job, its details appear from a panel on the right. You can edit the details of the job.

Specific Forensic Jobs

The following forensic jobs are available:

  • ARP cache
  • Current process
  • Installed service
  • Directory entry
  • DNS cache
  • Network connection
  • Registry key
  • Scheduled task
  • User session

ARP Cache

This job does not accept parameters.

Current Process

This job retrieves the processes currently running on the selected asset. It retrieves PID priority, user info, directory handles, token handles, process handles, thread handles, event handles, mutant handles, semaphore handles, window station handles, desktop handles, file handles, section handles, key handles, ALPC handles, all handles, modules, signature check, TCP over IPV4, TCP over IPV6, UDP over IPV4, and UDP over IPV6.

User info

This parameter displays who the owner of the process is and additional account information.

Handles

A handle is a descriptor that a process opens to modify or access a resource; it is a reference to that resource. For example, if the process opens a registry key, it has a key handle to it. In addition, it could also correspond to several other opened kernel objects by processes like mutants, semaphores and threads.

Modules

A module, in this case, is a dynamic library the process has loaded or the name of the executable.

Mutant

A mutant is another name for a Mutex, formally known as a mutual exclusion. It ensures that two threads cannot access a shared resource at the same time. Typically, malware creates named mutexes that we can look for to show commonality between malware families.

Semaphore

A semaphore ensures that only so many threads can access a given resource at once. To use a restaurant analogy, only 50 people are allowed in the restaurant at a time; after that, no one may enter until someone else leaves. In other words, a maximum of 50 people are allowed in at any time.

Section

A section is a chunk of memory that can be shared with other processes or mapped to a file.

Advanced Local Procedure Call (ALPC)

Processes can have Advanced Local Procedure Call (ALPC) ports to communicate to various subsystems or processes. You can think of this as a local Remote Procedure Call (RPC) mechanism.

When choosing this forensic job:

  1. Enter the process ID (PID) in the "PID" field.
  2. Enter the parent PID in the "Parent PID" field.
  3. Check the appropriate parameters.
  4. Click the Save Scheduled Forensics button.

Installed Service

This job retrieves information about installed services. The job parameters are signature check, allow INET SIG, and security info.

Signature check

If a binary/DLL is signed, InsightIDR will make sure that it is a valid signature. For Windows, if provided DLLs and exes are signed by Microsoft, the output reflects this.

Allow INET SIG

This job enables or disables the use of using the network to verify signatures. If this job is disabled, InsightIDR only uses the local cache for revocation checking.

Security Info

This is a technical flag geared for the AR/IR folks. It enables InsightIDR to see all access and owner info for a given service.

Directory Entry

This job retrieves information about specified directories. There are four parameters: path, directory depth, maximum filed size, and minimum field size.

To select this job, complete the following steps:

  1. Enter the directory path in the "Path" field. Enter -1 to search all directories.
  2. Enter the directory depth in the "Directory depth" field. Enter -1 to search all directories.
  3. Enter the maximum file size (in megabytes) in the "Maximum File Size (MB)" field.
  4. Enter the minimum file size (in megabytes) in the "Minimum File Size (MB)" field.
  5. Check the Calculate MD5 Hashes checkbox if you need to calculate MD5 hashes.
  6. Check the Calculate SHA-1 Hashes checkbox if you need to calculate SHA-1 hashes.
  7. Click the Save Scheduled Hunt button to save the changes made.

DNS Cache

This job returns local DNS cache and LOCAL A/CNAME record resolution if a resolver service is running.

This job never makes any outbound requests to resolve entries and is hardcoded. This job does not accept parameters.

Network Connection

This job returns network connection information about the protocol and family version. The job parameters are all network info, TCP over IPV4, TCP over IPV6, UDP over IPV4, and UDP over IPV6.

Registry Key

This job parses specified registry hives for keys. When the agent is installed as a system service, HKEY_CURRENT_USER (HKCU) reflects this. If a user wants to look at a user specific key within the user’s hive, they need to root their queries from HKU/<user-sid> and not HKCU. The reason for this is HKCU is simply a pointer, in other words a symlink, to who is accessing the registry and in our case, the agent, as system. This means HKCU is actually pointing to HKU/<system-sid> and not the user who is logged in. This job also supports regex within key paths so users don’t need to know the exact key path names.

The parameters for this job are registry keys, search HKEY_CLASSES_ROOT, search HKEY_CURRENT_USER, search HKEY_LOCAL_MACHINE, search HKEY_LOCAL_MACHINE, search HKEY_USERS, search HKEY_CURRENT_CONFIG, recursive depth, and persistent.

To select this job, complete the following steps:

  1. Enter the registry key(s) in the "Registry Keys" field.
  2. Check the appropriate Search HKEY parameter check boxes.
  3. Enter the recursion depth in the "Recursion Depth" field. Enter -1 to search all.
    • For example, the Registry keys format would be: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
  4. If needed, check the Persistent check box.

Scheduled Task

This job retrieves all scheduled tasks on an asset. This job does not accept parameters.

User Session

This job enumerates all of the system sessions on an asset. The job parameters are active connections and remote connections.

For Windows Vista - Windows Server 2008 (and greater), users see only services in session 0, then users will show up in subsequent sessions. This is normal behavior and something Microsoft implemented as a security fix called “session 0 isolation."

This job retrieves all scheduled tasks on an asset.