Our SaaS Managed Threat Hunting service makes it easy for organizations to rapidly engage our services with minimal effort and no on-site equipment. Simply deploy our lightweight “run and done” client on your endpoints and leverage our cloud system for automated reporting and advanced analytics.
Our hunt service combines automated data collection and alerting with proactive analytics by a person sitting behind the keyboard and analyzing your data. Our Amazon cloud infrastructure makes it easy to integrate your data with any 3rd party threat intelligence service you subscribe to.
What do we collect?
Our lightweight client deconstructs process information for all process on all systems scanned. Process deconstruction produces dozens of individual data points per process that are encrypted and uploaded to our cloud analytics system.
- File System Artifacts
- Windows PE Attributes
- Operating System Artifacts
- Standard System Information
- Volatile Data
- DNS Cache
OUR PROCESS
Step 1
Deploy the temporary lightweight collector to endpoints.
Step 2
Collect active processes, networking, system, and other information.
Step 3
Send the encrypted data to our cloud-based analytics system
Step 4
Automated and manual analysis with our cloud-based analytics interface.
Built-in statistical analysis reports enable an analyst to rapidly identify new and re-configured services, run keys, and other persistence areas to rapidly identify malicious code, whether it’s active or not.
Our analytics engine allows the analyst to conduct complex queries to identify threat actor TTPs and tradecraft. The only limit to the queries you can run is your imagination. A few simple queries are listed below, but there is no limit to the number of conditions or fields used in these queries. The more skilled your team is, the more you will be able to leverage our analytics platform.
- Show me all processes in the enterprise running binaries compiled on a Russian language system configured for Eastern, Central, Mountain, or Pacific time zones.
- Show me all processes in the enterprise that have compile dates that are more than 500 days later than their Windows create dates.
- Show me all processes in the enterprise that were launched from a hidden or renamed cmd.exe shell.
- Show me all psexec.exe processes in the enterprise that have been renamed.
- Show me all signed processes in the enterprise that don’t have a valid signature, are in SYN_SENT status, and communicating on a port between 20000 and 40000.
- Show me all self-signed processes in the enterprise with explorer.exe as the parent process, any .EXE running out of a user profile, and “-h -a -r !@#$1234” on the command line.
- Show me all processes in the enterprise with “!@#$1234” or “1qaz2wsx” in the command line.
- You get the picture…