💪
YJ's Internship/Visualise "Normal" Use-Cases/
8. Investigate types of sequences that exist in OpenEDR

8. Investigate types of sequences that exist in OpenEDR

Assign
Date
‣
Status
Completed
Tags
OpenEDR concepts
There are two types of sequences that exist in OpenEDR:
  • Lineage sequence
  • Temporal sequence

Lineage sequence (Left to right)

Reference: https://github.com/jymcheong/OpenEDR/wiki/1.-Concepts-&-Operations#process-lineage-sequences
What is Process Lineage Sequence?
Lineage → Direct descendant of a process e.g. if A > B, means that A is parent of B i.e. process A created process B
notion image
The screenshot above shows an example of msedge.exe lineage sequence in ODB console. From this, we are able to derive how msedge.exe was created. When a user interacts with a foreground app, it is always the case that the new process created (due to some interaction or even no interaction) would be the child of that foreground app-process. If we want to have a better picture of the lineage sequence, we can do so using the graph visualization tool in OrientDB.
notion image
The ParentOf link tells us which process is the parent/child e.g. userinit.exe is the parent of explorer.exe. From the graph, it clearly depicts the lineage sequence for the creation of msedge.exe. With lineage sequence, it can help analysts determine whether a certain process is suspicious/malicious or not. For example, All Word sequences that were profiled ended with System... explorer.exe > winword.exe. However, when a user opened a Word document that he downloaded, the sequence that was logged was System > ... > explorer.exe > winword.exe > powershell.exe. The additional child process that was created by winword.exe is suspicious and could indicate that the downloaded document was malicious.
Another useful usage of lineage sequence is that we can use it to analyze foreground to background transitions. Using the earlier example of msedge.exe, the chain looks like this:
smss.exe (BG) > smss.exe (BG) > winlogon.exe (BG) > userinit.exe (BG) > explorer.exe (FG) > msdge.exe (FG) > msedge.exe (BG)
notion image
From the sequence, we see that msedge.exe will only create a background msedge.exe. Let's say for example that we visit a website and msedge.exe creates more than just the one BG process i.e. msedge.exe (FG) > msedge.exe (BG) > A (BG) > B (BG). This could mean that the website contained some sort of malware that has infected the machine, causing msedge.exe to create malicious processes that run in the background. Hence, this is why capturing the process lineage sequence can prove essential when detecting possible malicious processes.

Temporal Sequence (Top to down)

What is Temporal Sequence?
Temporal Sequence → Time-ordered sequence
notion image
An example of lineage sequence + temporal sequence is shown in the screenshot above. In ODB console, not only does it display the entire process lineage, it also displays the lineage according to time e.g. RuntimeBroker.exe was created before backgroundTaskHost.exe. With temporal sequence, you can use it to pinpoint the time when the malicious process was executed/created and from there look at the subsequent lineages to find other possible malicious processes.
Â