Team: Huntress EDR
Environment: Windows Agent, Incident Report
Summary: This explains what audit the directory means as a remediation step
In the remediation details section of an incident report, you may see "audit the directory X".
Often malware will create its own directories. Since the Huntress Agent only enumerates auto-starting applications, we need to make sure that the file is removed. We mention "auditing" these folder locations because other artifacts may be present (a password dump file for example). Something "suspicious" would be anything that is not there by default and is not "business-related". In most cases, the directory only contains a single malicious file and if that directory doesn't contain anything "user/business" related, it's safe to assume the malware created that directory.
Please sign in to leave a comment.