How do I determine which host an investigation applies to?
We don't link investigations to a specific host because the investigation could apply to hundreds of hosts within Huntress, which makes displaying the information in a useful way difficult.
In addition to investigating suspicious/malicious items, we also use investigations to internally categorize legitimate applications such as security products and system administration tools. For commonly used software like antivirus applications and RMM agents, the investigation may apply to multiple Huntress partners' hosts, which makes linking it to individual hosts difficult.
When do investigations, we do them at one of two levels:
- Global Level - where we're looking at a foothold in general, but nothing about it being specific to any one host.
- mostly looking at what the application is, and how it's persisting to decide if it is suspicious. In a lot of cases, this is how we find malware like Dridex, that uses legitimate Windows executables, but persists them in non-standard ways or persists executables that don't normally persist.
- Host Level - we're looking at something specific to a host and how the foothold is interacting with the host.
- This allows us to find one-off, unique footholds, and cases where a legitimate autorun has been modified by an attacker to execute some malicious code while attempting to still look like the legitimate autorun. These can only be investigated at the host level because when you look at the application from a global perspective, it still appears like the standard autorun, but only when you dig into the details does it reveal that it's been modified to be malicious.
The way we decide to show you an investigation is that when the investigation is completed, we create a link to every account, organization, and host that contains that specific autorun when we complete the investigation. So for a global investigation, this means we're linking to hundreds of accounts and thousands of hosts. For a host investigation, this means we're linking to one account, one organization, and one host. So even though you can't see the linkage it was truly on one or more of your hosts when we performed the investigation.
You don't need to act on any of the investigations. If an investigation determines that something is malicious, the team will turn it into an incident that will be sent to your PSA, email, or whatever systems you have integrated with and will include the full results of our work including the remediations to clean up the malware.
It may also help to clarify that the investigations are there to show you what work the Huntress ThreatOps team is doing on your behalf and document the steps taken to review the foothold and the decision the team made.