13. ProcessCheck

Different checks are performed in the ProcessCheck module. Some of them check the process characteristics such as parent/child relations, process priorities and executable file locations for anomalies. Other checks evaluate the processes network connections and YARA checks match on the process memory.

13.1. References

13.2. Samples

Aug 26 13:02:27 server22.local.net/10.6.19.8
THOR: Warning: MODULE: ProcessCheck
MESSAGE: Process started from a typical attacker / malware location
PID: 8336
PPID: 5796
PARENT: C:\temp\ProcessMonitor\Procmon.exe
NAME: Procmon64.exe
OWNER: server-ABC123
COMMAND: "C:\Users\SERVER~4\AppData\Local\Temp\2\Procmon64.exe" /originalpath "C:\temp\ProcessMonitor\Procmon.exe"
PATH: C:\Users\SERVER~4\AppData\Local\Temp\2\Procmon64.exe
CREATED: 24.08.2017

Aug 26 13:02:55 server.local.net/10.1.19.2
THOR: Warning: MODULE: ProcessCheck
MESSAGE: Yara rule match on process
PID: 32980
PPID: 4104
PARENT: C:\Program Files\Internet Explorer\iexplore.exe
NAME: iexplore.exe
OWNER: SYSTEM
COMMAND: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
PATH: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
CREATED: 24.08.2017 05:00:02
MD5: e3da77b534d7dff8a2ae6a577a44703b
CONNECTION_COUNT: 0
LISTEN_PORTS: -
RULE: CN_C2_Domain_HvS_Client_A3
DESCRIPTION: THOR HvS Client A3 - C2 domain in file
REFERENCE: -
SCORE: 75
STRINGS:
        Str1: .lookipv6.com

13.3. Typical False Positives

  • Legitimate software started from strange locations

  • Old Windows versions (XP, 2003) show abnormal parent/child relation and process priority warnings

  • Process end points in suspicious GEO IP regions of the world (e.g. system in China with process connections to other systems in China)

  • Process memory scan alerts in processes that may contain clear-text signatures (AV process memory, VMWare tools (copied THOR to the system), GRR, SearchIndexer)

13.4. Attribute Evaluation

Attribute

Question

Answer

Indication

Weight

COMMAND

Is the executable a well-known SysInternals tool?

Yes

Good

Medium

PATH

See chapter File Path Checks

PARENT

Is the parent of the suspicious process a Microsoft Office program?

Yes

Bad

High

OWNER

If the owner of the suspicious process starts with IWAM_, IUSR_ or IIS_?

Yes

Bad

Medium

MESSAGE

Did the YARA rule match on IEXPLORE.EXE, VMWARE tools process memory? (Note: the Internet Explorer and VMWare tools process memory is prone to false positives)

Yes

Good

Low

MESSAGE

Did the YARA rule match on Antivirus or Security tool process memory? (e.g. CarbonBlack, GRR)

Yes

Good

High