Action tables

Advanced EDR shows 15 days of telemetry associated with each detection made by advanced protection. This telemetry shows the actions taken by the programs involved in an attack.

To view the action table for a threat, access its details page (see Details of blocked programs) and select the Activity tab.

The action table only shows the most relevant events triggered by a threat.

Because the number of actions and events triggered by a process is very high, showing all of them would hinder the extraction of useful information to perform a forensic analysis.

The table content is initially sorted by date, making it easier to follow the progress of the threat.

This table shows the fields included in action tables:

Field Comment Values

Date

Action date.

Date

Times

Number of times the action was executed. A single action executed several times consecutively appears only once in the list.

Numeric value

Action

Action logged on the system and command-line parameters associated with it.

  • Downloaded from

  • Communicates with

  • Accesses data

  • Accesses

  • Is accessed by

  • LSASS.EXE opens

  • LSASS.EXE is opened by

  • Is run by

  • Runs

  • Is created by

  • Creates

  • Is modified by

  • Modifies

  • Is loaded by

  • Loads

  • Is deleted by

  • Deletes

  • Is renamed by

  • Renames

  • Is killed by

  • Kills process

  • Process suspended

  • Creates remote thread

  • Thread injected by

  • Is opened by

  • Opens

  • Creates key pointing to EXE file

  • Modifies key to point to EXE file

  • Tries to stop

  • Ended by

Path/URL/Registry Key/IP:Port

  • Action entity. It has different values depending on the action type.

  • Registry Key: For actions that involve modifying the Windows registry.

  • IP:Port: For actions that involve communicating with a local or remote computer.

  • Path: For actions that involve accessing the computer hard disk. For more information, see Path format.

  • URL: For actions that involve accessing a URL.

 

File Hash/Registry Value/Protocol-Direction/Description

This field complements the entity.

  • File Hash: For all actions that involve accessing a file.

    If the SHA-256 hash appears, it is separated from the MD5 hash by the “|” character.

    Example:

    d131dd02c5e6eec4 | 4d70210e28716ccaa7cd4ddb79

  • Registry Value: For all actions that involve accessing the Windows registry.

  • Protocol-Direction: For all actions that involve communicating with a local or remote computer. Possible values are:

  • TCP

  • UDP

  • Bidirectional

  • Unknown

  • Description

 

Trusted

The file is digitally signed.

Binary value

Fields shown in the action table for a threat

Path format

We use numbers and the “|” character to indicate the storage drive and system folders respectively:

Code Storage drive type

0

Unknown drive.

1

Invalid path. For example, a drive that does not have a mounted volume.

2

Removable drive. For example, a floppy disk, a USB memory device, or a card reader.

3

Internal drive. For example, a hard disk or an SSD disk.

4

Remote drive. For example, a network drive.

5

CD-ROM/DVD drive.

6

RAM disk drive.

Codes used to indicate the drive type

This is an example of a path:

3|TEMP|\app\a_470.exe

  • 3: Internal drive. The file is located on the computer hard disk.

  • |TEMP|: The file is located in the computer \windows\temp\ system folder.

  • \app\: Name of the folder where the file is located.

  • a_470.exe: File name.

Subject and predicate in actions

To correctly understand the format used to present the information in the action list, a parallel needs to be drawn with natural language:

  • All actions have as the subject the file classified as a threat. This subject is not specified in each line of the action table because it is common throughout the table.

  • All actions have a verb which relates the subject (the classified threat) to an object, called entity. The entity appears in the Path/URL/Registry Key/IP:Port field of the table.

  • The entity is complemented with a second field which adds information to the action: File Hash/Registry Value/Protocol-Direction/Description.

Action list of a sample threat illustrates two actions carried out by the same hypothetical malware:

Date Times Action

Path/URL/Registry Key/IP:Port

File Hash/Registry Value/Protocol-Direction/Description

 Trusted

3/30/2015 4:38:40 PM

1

Communicates with

54.69.32.99/80

TCP-Bidirectional

NO

3/30/2015 4:38:45 PM

1

Loads

PROGRAM_FILES|\ MOVIES TOOLBAR\SAFETYN

9994BF035813FE8EB6BC98E CCBD5B0E1

NO

Action list of a sample threat

The first action indicates that the malware (subject) connected to (Communicates with action) the IP address 54.69.32.99:80 (entity) through the TCP-bidirectional protocol.

The second action indicates that the malware (subject) loaded (Loads action) the library PROGRAM_FILES|\MOVIES TOOLBAR\SAFETYNUT\SAFETYCRT.DLL with hash 9994BF035813FE8EB6BC98ECCBD5B0E1.

As with natural language, two types of sentences are implemented in Advanced EDR:

  • Active: These are predicative actions (with a subject and predicate) connected by an active verb. In these actions, the verb connects the subject, which is always the process classified as a threat, to a direct object, the entity, which can vary based on the type of action. Examples of active actions are:

    • Communicates with

    • Loads

    • Creates

  • Passive: These are actions where the subject (the process classified as a threat) becomes the passive subject (which receives, rather than executes, the action), and the verb is passive (to be + participle). In this case, the passive verb connects the passive subject (which receives the action) to the entity, which performs the action. Examples of passive actions are:

    • Is created by

    • Downloaded from

Example of a passive action shows an example of a passive action for a hypothetical malware:

Date Times Action

Path/URL/Registry Key/IP:Port

File Hash/Registry Value/Protocol-Direction/Description

 Trusted

3/30/2015 4:51:46 PM

1

Is run by

WINDOWS|\explorer.exe

7522F548A84ABAD8FA516D E5AB3931EF

NO

Example of a passive action

In this action, the malware (passive subject) is run by (passive action) the WINDOWS|\explorer.exe program (entity) with hash 7522F548A84ABAD8FA516DE5AB3931EF.

Active actions enable you to inspect, in detail, the steps taken by a threat. By contrast, passive actions usually reflect the infection vector used by the malware (which process ran it, which process copied it to the user computer, etc.).