PSList Analysis and Netscan Lookups Using Graylog

Last month I introduced a simple Python script that simply ships the JSON output file that Volatility creates to Graylog, called vol2log. Since then, I've been working on different ways to enhance that data, so we can automate some of our Threat Hunting and easily scale it. A lot of what I'm doing exists already in single plugins, like malprocfind, which is awesome for doing analysis on a single machine, but there are a lot of plugins that do not support JSON output which prevents us from simply shipping those outputs to any SIEM easily. It would probably be just as easy for me to go add that functionality to those specific plugins but I have intentions on expanding a lot of the Graylog pipelines I've created, to include the output from a Threat-Hunting PowerShell framework I'm also working on as well.

Having said that, I'm going to contradict myself a bit as nested queries aren't really a thing yet in Elasticsearch and it was a bit easier to do some of this analysis in the vol2log script itself, eventually the idea is to migrate these analysis techniques into Graylog pipelines, and just update this project as I develop new analysis for different plugins as well as some of the PowerShell scripts I have written.

PSList enhancements: To begin with, the vol2log script has been updated to include additional analysis for the output of pslist. This additional analysis consists of enumerating through the entire output and identifying the PID's of key processes. With this information we are able to identify the following:

  • Ensure the process has the correct parent process of common critical Windows processes. This list should grow as I continue to develop it.
  • Ensure the number of processes is correct, and that there are not too many of certain processes running.

If any of the above checks fail, a field will be created called "PotentiallyMaliciousProcess" which will be set to True. By generating a quick chart pivoting on any "PotentiallyMaliciousProcess" field that is set to true, we can identify typical techniques that are used and analyze them as we ship our logs from a variety of sources. Here is an example from a single host showing 3 different lsass.exe processes, so the script identified this as being abnormal as there is only supposed to be a single lsass instance.


There are a few false positive issues that I've encountered, which were to be expected as there are certain processes that exit after creating children after the initial startup, such as smss, csrss, wininit, etc..., which I'm working on a way to resolve this issue. The psscan Volatility plugin solves this issue as it should include those exited processes, but I'm still doing some testing on that portion.

PSList Future Plans: Within the next week or so, I should also have a list of over 100 common applications that I will essentially create a duplicated stream for a filtered PSList that will assist in removing known services, and will generate a list of all the left over services. This should help with not only quickly identifying the oddball services that were running, but also make persistence techniques, like naming a service scvhost.exe, standout even more.

Netscan: The next update to this project was for the Netscan plugin. One of the newest features to Graylog, released on version 2.4, is the ability to perform AlienVault Open-Threat Exchange lookups on attributes like IP addresses, file hashes and domain names. The pipeline that I've included in this project essentially just parses out the IP address of the Volatility Netscan output, and performs a lookup to identify any known malicious activity associated with that IP address. I've included the pipeline below:

rule "Netscan OTX Lookup"
    has_field("plugin") &&
    contains(to_string($message.plugin), "netscan")
    let dst_ipaddr = split(":", to_string($message.ForeignAddr));
    set_field("dst_IPAddress", dst_ipaddr[0]);
    let intel = otx_lookup_ip(to_string($message.dst_IPAddress));
    set_field("Malicious_IP_Identified", intel.otx_threat_indicated);

This pipeline simply extracts the IP address from the ForeignAddr field that Volatility creates and performs a lookup on Alienvault's Open-Threat exchange, which we can create a dashboard like this:


We could also go a step further and only list values that were true, but I thought I would simply show the difference between a known malicious IP, and an IP that previously has not had any malicious activity associated with it.

I will eventually add a tutorial on how to setup these pipelines, but Graylog has done such a good job at documenting this process, that I do not think it is needed at the moment, so in the meantime I'll just post a link to their documentation on pipelines. I will have a Github repository for all of these pipelines soon, and should be releasing a content-pack that has a lot of the streams and configurations already included so there is minimal work for initial setup and deployment, and I will include a walk-through for all of you who are unfamiliar with Graylog.

I also intend on packaging all of the deployment process into an Ansible playbook as Graylog Content Packs do not currently include Pipelines, but that will come at a later date. Again, I would greatly appreciate any feedback and if you encounter any issues please let me know, thanks!