5. Automated EDR & Centralized Threat Hunting

Goal

Demonstration of Harmony Endpoint Centralized EDR and Threat Hunting capabilities.

Discussion points

  • Harmony Endpoint automated EDR capabilities with industry’s best host based forensics capabilities and largest amount of information gathered and analyzed.

  • Harmony Endpoint centralized Threat Hunting receives forensics information from all agents to enable real time hunting of IoCs and IoAs.

  • Multi-layered endpoint protection platform with automated EDR and centralized Threat Hunting to visualize and hunt organization wide attack attempts and anomalies.

Watch the Demonstration Video

For brevity, this video shows only the most important steps.

Instructions

Important - This part must be performed after the step of Backdoor attack leading to a Ransomware attack or after a customized attack you crafted for Threat Hunting data to be available.

The procedure below describes all steps to demonstrate the scenario.

Step

Instructions

1

Navigate to the Threat Hunting section at the Harmony Endpoint management platform on chkp-demodays.xyz account.

2

There are 2 main ways to start hunting:

  1. Starting from a known IoC from a previous forensics report – such as part 3 Ransomware attack trigger or entry point or a specific machine. IoCs can be found in publications such as in our research.checkpoint.com.

  2. Start with a predefined query,

    Harmony Endpoint Threat Hunting service includes useful predefined queries that can be used to view contextual real time centralized forensics details and search for possible attack attempts that are yet to be discovered. It also help to understand user behavior and anomalies in the organization.

Let’s start hunting

3

First, let’s start by looking at the forensics report and using the attack start process from stage 2 : Pithon_setup.exe.

4

At the search line press the + sign, choose process name is and type pithon_setup.exe.

5

Process exists only on the Windows server protected machine and it is not signed.

6

Let’s add the BOAZ-GAR-WINDOW machine to the query, search for unsigned processes and remove the pithon_setup.exe to find potential backdoor processes we have yet to discover.

  1. Click on the not signed at the “signed by” field and choose to include.

  2. Click on the BOAZ-GAR-WINDOW at the machine field and choose to include.

  3. Finally, remove the query for pithon_setup.exe by clicking the ‘X’ next to it in the query line.

7

The time line bar shows us the number of events happing at a certain time.

Let’s take a close view.

8

Click on the latest series of events to zoom in.

9

Let’s zoom in a little closer to exclude the trusted processes by clicking on the red hexagon.

10

Great hunting, you have found the backdoor process scvhost.exe that the attacker used to infiltrate the server and execute a Ransomware attack.

11

Include the scvhost.exe in the query and remove all other parameters to pivot from here to hunt all the other possible backdoors at the organization if exist.

Notice it is spelled scvhost.exe and not svchost.exe as it should be.

12

In a real life scenario you will set the date to a past date to include all possible backdoor processes in order to review the history and if the attacker implemented more backdoors in the organization that are yet to be activated.

13

Now that we have all the backdoor processes in one place,

You will be able to quarantine them by clicking on action and Quarantine.

The quarantine is performed via Push Operations action:

14

In real life scenarios, you will be able to quarantine as an admin.

Important - In this demo scenario, you will only be able to show that it is possible but you will not have permissions to do so since the demo user is read only.

15

In case you demonstrated with your own portal or admin users you can go back to the windows server protected machine, open task manager and see that the scvhost.exe process is not running.