Leveraging Custom Actions in NetWitness Investigator

August 30, 2010 Malware Analysis, Network Forensics, Network Visbility, pentesting, Situational Awareness 1 Comment

One of the lesser-known features that was recently introduced in NetWitness Investigator are Custom Actions.   Have you ever been analyzing a pcap in Investigator and thought “I wish there was an easy way to push this information into another system…”.   Custom Actions is a flexible extension system that will allow you to do just that.    Here are just a few examples of what can be accomplished:

  • Automatically search your favorite search engine for a meta element.
  • Push meta into other systems for additional analysis or automation action.
  • Point and click searching of your favorite threat intelligence source.
Using a simple masking system and right-click actions, we allow you to quickly expand your investigation.  Below are three examples of common tasks involved in an incident response scenario to provide a working example.

Scenario:   You are a senior incident responder at your organization, and one of your company’s help desk analysts reports strange behavior from an executive’s workstation.   Luckily, this analyst is on his game and has provided you with a network capture from the workstation, which you import into Investigator for analysis.  What are some tasks that I might want to do with this investigation?

Here are three possible tasks:
  1. Perform an nmap scan of the executive’s workstation to ascertain what services are listening on the network.
  2. Perform a Google search of observed filenames.
  3. Perform a threat intelligence search of the target domain using the URLvoid service.
To access custom actions, do the following:
  • Click on the Edit drop-down menu, and select Custom-Actions

Once you are here, you’ll see a GUI overview of the custom action system with a few examples. You may have a few in the list that were installed by default.

For Task 1, we’ll add a new NMAP Version Scan Custom Action. First, determine the desired command-line string for your nmap scan.  In this case I’m going to use:

cmd.exe /K c:\PROGRA~1\nmap\nmap.exe -PN -sV –top-ports 1000 192.168.2.245


To prep this as a custom action, I’d simply swap out the IP address with the ${VALUE} mask as follows:

cmd.exe /K c:\PROGRA~1\nmap\nmap.exe -PN -sV –top-ports 1000 ${VALUE}


In layman’s terms, this is going to open a command prompt window, launch nmap with a few options and scan the IP address that I specify in Investigator.
Once it has been added to the custom actions list, it’s a point and click affair going forward.
  • Right click on the target IP and Select “NMAP Version Scan” from the list of Custom Actions.

  • Watch it go!

For Task 2…I want to build a custom action that does a Google search on a target keyword.  In this example, the easiest way to start is to build a Google search query as follows:

http://www.google.com/search?q=dog

And just like above, replace the search term “dog” with the ${VALUE} mask, which will look like this:

http://www.google.com/search?q=${VALUE}

And again, add this to custom actions, and then it’s a right-click away inside Investigator.

For Task 3, we are going to use the same basic concept to search URLvoid.com for a domain’s presence on blacklists.  Just like Google, we’ll start with a search on URLvoid:

http://www.urlvoid.com/scan/cnn.com

Same steps as before, just replace the domain with the ${VALUE} mask:

http://www.urlvoid.com/scan/${VALUE}

Once these have been added, we can then use them to quickly investigate our scenario:

Using the nmap scan custom action, we find that our executive’s workstation at 192.168.2.246 is listening only on ports that it should be per our company’s security policy. We see that our Google custom action reveals that the involved filenames are related to a known ZeuS trojan infection, and we know by our URLvoid results that this command and control server now appears to be down.     This PC is compromised, so we then declare an incident and proceed with our incident response plans.

As you can see, custom actions are very easy to implement.  These are simple examples, but with some effort, tools, a favorite scripting language, etc., the sky is the limit.  You could do things like:

  • As a Penetration Tester,  launch a metasploit attack against a target IP with a right click.
  • As a Firewall Administrator, add a firewall rule with a custom action feeding a script.
  • As an Incident Responder, quickly add a domain name to a threat database.

Do you have a good idea or example for a custom action?  Post about it in the NetWitness Community, we’d love to hear about it!

Happy Hunting!