Scripts

A lot of recent attacks/infections are performed using a “file-less” malware, which happens by executions of scripts, which are delivering a malicious payload or doing any harmful activity.

EEI provides granular visibility into all scripts that have been executed within the company and shows details about what changes were done, and if any of the scripts triggered a specific behavior-based detection.

Security engineers can see details about the event, entire process tree, detailed parameters of the command line (arguments), etc. – all of the details that are needed for the detailed forensic investigation.

An important feature of Scripts View is the ability to group scripts by “command line” which allows you to easily spot anomalies or potentially suspicious activities.

 

At this time, scripts written in Visual Basic and Powershell/WScript/CScript are supported.

When you click the process name, you are redirected to Process details.

Right-click process name or left click anywhere else on the row to bring up a context menu with the following options:

Details—you are redirected to Process details.

Details (New Tab)—same as above, but in the new tab

Aggregated Events—you are redirected to Aggregated Events tab of this specific process

Detections—you are redirected to the Detections tab with a list of detections for this specific script

Raw Events—you are redirected to the Raw Events tab of this specific process

Loaded Modules—you are redirected to the Loaded Modules of that particular process

Parent Process—you are redirected to the Process Details of the Parent Process of this process if the Parent Process exists

First Child Process—you are redirected to the Process Details of the First Child Process that was executed by this process if the Child Process exists

Mark as Safe—Safe state, which is used by many rules to determine the risk. Mark as Safe does have an impact on detections. Mark as Safe does not necessarily guarantee that a particular module will never be included in detections. There are a few hundred rules, and some raise detections, regardless of which module executed the suspicious action. For example, a popular instance, trusted modules as powershell, can do it. Other rules try to evaluate risk on the basis of the module. Such rules take “safe” flag into consideration. This flag means that the user analyzed the module, and it is unlikely that the module is malicious, so rules assume that the risk is lower during the evaluation.

Mark as Unsafe—mark as unsafe, for example, if you mistakenly marked it as safe

Create Exclusion—create an exclusion for a script. Also can use buttonCreate_Exclusion at the bottom right corner

Download Script—opens the window for downloading the script for further investigation. Only if the script is still available in the network. Also can use buttonDownload_Scriptat the bottom right corner. This button is also available in the Process details view.

Display Absolute/Relative Time—Absolute time will show the time in format DD/MM/YYYY HH:MM:SS. Relative time will show the time in the format minutes/hours/months in relation to present time, like "15 minutes ago" or "6 days ago"

Filter—you can find these quick filters, depending on the column:

oShow only this—Shows only records, based on this particular value

oHide this—Hides all records based on this particular value

oShow before—shows only records that are before this value (for example, time)

oShow after—shows only records that are after this value (for example, time)

oShow lower—Shows only records, which value is lower than this particular one

oShow higher—Shows only records, which value is higher than this particular one

Tags

Tagging is an additional form of filtering that can connect multiple objects through multiple views (computer, executable, event filter, etc.). If available, the tag icon Tag_Panel is on the left side, next to the name of the view. In the Computers view, the tag panel can be accessed by clicking the Three_dots icon. In the opened tag panel, all created tags are listed and ready to use. If the list of tags is already too long, you can use the magnifying glass to search for a specific tag. At the top of the screen, the TAGS selector can be used to select the desired tags. If available, the user can use also TAGS button located at the bottom of the screen among action buttons.

There are filter options that you can use to sort the detections in order:

1.Source of Detections

2.Status

3.Additional filters

 

Process Groups

Ungrouped—ungrouped list of scripts sorted by Process Name (ID).

First child executable—grouped by first child process that is a successor of the script. Name and the process ID in Task Manager

Parent executable—grouped by parent process that is an ancestor of the script. Name and the process ID in Task Manager

Command line—grouped by name of command line/process name(ID) that was used to execute the executable

 

Status (Threat, Warning, Info, OK)   eei_satus_filter_icons

There are four statuses:

Threat Alarm_Severity_Threat

Warning Alarm_Severity_Warning

Info Alarm_Severity_Info

Ok Executables_Status_Ok

 

Additional filters

The additional filters are accessible by clicking the ADD FILTER button or clicking on a space next to the add filter button, where the list of available filters shows. The user can search filter by typing its name or selecting from the list. For the definitions of the additional filters, follow here.

Some of the filters have a funnel icon next to them with two or four possible predefined options:

Unknown—the value in the filtered column is not available (probably not a known value at the time of occurrence)

Known—the value is available

None—value is an empty string

Any—the value is not empty. The negation of None filter

If present on the screen you, can refresh the table by clicking the refresh iconAlarms_Refresh. If available, the export icon Export_CSV can be used to export the table grid to CSV format and use it in other applications to work with the list.

If present, click the PRESETS button to manage filter sets. These options are available:

Save filters—allows you to save the actual filter set. Select the check box Include the visible columns and sorting to save also this setting of your selection, otherwise when loading saved filter without this option selected will end up by showing you the default column setting

Reset filters—resets active filter and return to default filter setting with default column setting

Reset view—resets the active view without resetting the filter set

Manage—allows you to manage your filter sets

Save Filters as Rule—if available, allows you to save the filter as a rule. You can find it then in the list of rules under the Detection rules sub-tab of the admin tab

Columns

Columns can be reorganized by using the Columns_Move icon that appears on the right side of the column name when you hover the mouse over the column name.

The width of the column can be re-sized by the Column_Resize icon that appears on the left side of the column name when you hover the mouse over the column name.

The order of the columns can be organized by clicking the name of the column:

Default (No icon)

Ascending Column_Ascending

Descending Column_Descending

You can change which columns are displayed after clicking the gear icon and selecting the Select column option, or you can reset the view to default by clicking the Reset columns option. You can use Enter quick search pattern—here, you can search for the column by typing its name or a couple of letters from it. Useful if the list of columns is long. For the definitions of the columns follow here.