Lens Concept

 

word.exe

payload.exe

wmiexec.exe

/sensitive/file

evil.com

explorer.exe

cmd.exe

word.exe

payload.exe

word.exe

evil.com

word.exe talking to non-whitelisted domain

word.exe spawning child process

wmiexec from non standard grandparent process

word.exe

payload.exe

evil.com

Process with network access creates file, executes child from it

payload.exe

wmiexec.exe

cmd.exe

Risk: 50

Risk: 100

Risk: 75

Risk: 80

word.exe

payload.exe

evil.com

Asset Lens

Risk Node

name: 'word with child process'

score: 100

Risk Node

name: 'word network'

score: 80

wmiexec.exe

cmd.exe

Risk Node

name: 'wmiexec grandparent'

score: 75

score: 400

Through the lens of an asset, view the scope of risks within that lens

Risk Node

name: 'file created and then executed'

score: 50

Risk Node

name: 'unique parent process pair'

score: 20

Lense score is sum of all scoped nodes' risk scores, where overlapping risks on a node give a % bonus

chrome.exe

mal.doc

word.exe

payload.exe

Asset Lens

mallory-win7

Risk Node

name: 'word with child process'

score: 100

Risk Node

name: 'Commonly Targeted App Read Browser Created File'

score: 10

Risk Node

name: 'Browser Created File'

score: 5

Sorted list of lenses

Lens Concept

By Colin

Lens Concept

  • 677

More from Colin