timesketch icon indicating copy to clipboard operation
timesketch copied to clipboard

Published 20 hours ago verified publisher icon google

UI: Process Tree View

Open binglot opened this issue 4 years ago • 2 comments

Details

It would be great to have alternative ways of displaying data in the Timesketch. One of them could be a process tree view, with the following requirements:

  1. Display a list of processes in a "tree-like" format, with parent-child relationship between processes.

  2. Allow tagging processes of interest.

  3. Display certain properties of processes (e.g. start/exit times, user, session).

  4. Provide sorting by the properties to allow grouping processes that belong to the same session, user, etc.

  5. Colouring entries to provide visual clues (e.g. by session, for "suspicious" execution branches).

  6. Support multiple types of input data (e.g. list of currently running processes, evidence of past executions such as syscalls for Linux or Sysmon for Windows, Windows EID 4688, etc.).

Mock-up Solution:

Process Tree View

Reasoning

Presenting collected evidence in different forms:

  • Help gain new insights
    • "20 days gap"
    • "a pattern" of incremental files created every ~30min at %appdata%\bus\
  • Lead to focus on a subset of data
    • Please review "User Downloads" &
    • "Browser history" and provide "context"
    • Tag suspicious executions and pivot in master timeline
  • Not always appropriate

Advantages of this view:

  • Displays Parent-Child Relationship
  • Spot anomalous executions
    • Winword.exe spawns PowerShell.exe
  • Visual grouping
    • Session 0 vs Session 1
  • Interactive vs Non-Interactive Executions
    • "Explorer.exe -> abc.exe" VS "Svchost.exe -> abc.exe"

binglot avatar May 26 '20 02:05 binglot

Maybe it would be easier with graphs. Making queries to Neo4j would be more interesting and much easier than developing them directly on Elastic. An analyzer could create a graph for each timeline. On this new graph you can create analyzers that look for patterns. I have worked on something similar: https://github.com/SecSamDev/sysmon-arangodb

SecSamDev avatar Jun 19 '20 13:06 SecSamDev

Hey @SecSamDev, thanks for the suggestion! I was originally thinking about more traditional "tree" based view. I thought it would be better suited if you have logs of execution that contain a high number of entries (for instance, 5000 entries). Have you found the graph representation useful in your past investigations?

binglot avatar Jul 02 '20 06:07 binglot