5. Automated EDR & Centralized Threat Hunting
Goal
Demonstration of Harmony Endpoint Centralized EDR and Threat Hunting capabilities.
Discussion points
-
Harmony Endpoint automated EDR capabilities with industry’s best host based forensics capabilities and largest amount of information gathered and analyzed.
-
Harmony Endpoint centralized Threat Hunting receives forensics information from all agents to enable real time hunting of IoCs and IoAs.
-
Multi-layered endpoint protection platform with automated EDR and centralized Threat Hunting to visualize and hunt organization wide attack attempts and anomalies.
Watch the Demonstration Video
For brevity, this video shows only the most important steps.
Instructions
|
Important - This part must be performed after the step of Backdoor attack leading to a Ransomware attack or after a customized attack you crafted for Threat Hunting data to be available. |
The procedure below describes all steps to demonstrate the scenario.
Step |
Instructions |
||
---|---|---|---|
1 |
Navigate to the Threat Hunting section at the Harmony Endpoint management platform on chkp-demodays.xyz account. |
||
2 |
There are 2 main ways to start hunting:
Let’s start hunting |
||
3 |
First, let’s start by looking at the forensics report and using the attack start process from stage 2 : Pithon_setup.exe. |
||
4 |
At the search line press the + sign, choose process name is and type pithon_setup.exe. |
||
5 |
Process exists only on the Windows server protected machine and it is not signed. |
||
6 |
Let’s add the BOAZ-GAR-WINDOW machine to the query, search for unsigned processes and remove the pithon_setup.exe to find potential backdoor processes we have yet to discover.
|
||
7 |
The time line bar shows us the number of events happing at a certain time. Let’s take a close view. |
||
8 |
Click on the latest series of events to zoom in. |
||
9 |
Let’s zoom in a little closer to exclude the trusted processes by clicking on the red hexagon. |
||
10 |
Great hunting, you have found the backdoor process scvhost.exe that the attacker used to infiltrate the server and execute a Ransomware attack. |
||
11 |
Include the scvhost.exe in the query and remove all other parameters to pivot from here to hunt all the other possible backdoors at the organization if exist. Notice it is spelled scvhost.exe and not svchost.exe as it should be. |
||
12 |
In a real life scenario you will set the date to a past date to include all possible backdoor processes in order to review the history and if the attacker implemented more backdoors in the organization that are yet to be activated. |
||
13 |
Now that we have all the backdoor processes in one place, You will be able to quarantine them by clicking on action and Quarantine. The quarantine is performed via Push Operations action: |
||
14 |
In real life scenarios, you will be able to quarantine as an admin.
|
||
15 |
In case you demonstrated with your own portal or admin users you can go back to the windows server protected machine, open task manager and see that the scvhost.exe process is not running. |