Surveys

Team: Huntress EDR 
Product: Surveys 
Environment: Windows, MacOS
Summary: How Huntress agent surveys work 

Huntress Agent Surveys are used to find malicious footholds that Antivirus products miss.

Data that Surveys collect

• file-path
• file meta-data (size, timestamp, hashes)
• the user account the autorun starts under
• how the autorun starts (registry value, task, service, etc.)
• auto-starting files it has not seen before

The Huntress Agent does not scan all directories, make changes, or block any processes.

A change in autoruns on a host will trigger the agent to send another survey to Huntress. After remediation of an Incident, it will take up to 30 minutes for a new survey to be sent back and processed. 

Once the Huntress Agent is installed on a host, the Huntress Agent will run surveys every 15 minutes. These surveys are done to determine whether there was a change in a startup location. The Huntress Agent only looks at applications that are configured to auto-start. The Agent will open the auto-start application in read-only mode in order to hash the file. The survey data is only sent to the cloud for analysis when a change is detected from the previous survey. Most agents only send a few surveys a day. The exception is when malware on a host is constantly changing or software updates occur. The survey is sent to us in the form of a JSON file and is sent over HTTPS to our AWS instance.

Here is a small snip of what a survey looks like: