word.exe
payload.exe
wmiexec.exe
/sensitive/file
evil.com
explorer.exe
cmd.exe
word.exe
payload.exe
word.exe
evil.com
word.exe talking to non-whitelisted domain
word.exe spawning child process
wmiexec from non standard grandparent process
word.exe
payload.exe
evil.com
Process with network access creates file, executes child from it
payload.exe
wmiexec.exe
cmd.exe
Risk: 50
Risk: 100
Risk: 75
Risk: 80
word.exe
payload.exe
evil.com
Asset Lens
Risk Node
name: 'word with child process'
score: 100
Risk Node
name: 'word network'
score: 80
wmiexec.exe
cmd.exe
Risk Node
name: 'wmiexec grandparent'
score: 75
score: 400
Through the lens of an asset, view the scope of risks within that lens
Risk Node
name: 'file created and then executed'
score: 50
Risk Node
name: 'unique parent process pair'
score: 20
Lense score is sum of all scoped nodes' risk scores, where overlapping risks on a node give a % bonus
chrome.exe
mal.doc
word.exe
payload.exe
Asset Lens
mallory-win7
Risk Node
name: 'word with child process'
score: 100
Risk Node
name: 'Commonly Targeted App Read Browser Created File'
score: 10
Risk Node
name: 'Browser Created File'
score: 5
Sorted list of lenses