Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: EDR
Huntress is not a preventive security solution. Huntress was created to find malware that has slipped past preventive products and established a foothold on the host. There are four main components to Huntress executables: EDR (Process Insights), Persistent Foothold Detection, Ransomware Canaries, and External Recon.
Malicious Files and/or Activity
Huntress detects malware two ways, by following the MITRE ATT&CK Framework and by looking for the footholds malware adds to start itself when the system boots or a user logs in.
Our EDR, Process Insights, watches as new processes are created and looks for activity that matches up with known bad techniques from the MITRE ATT&CK Framework. Since this doesn't rely on heuristics or hash codes we can detect 0-days as well as detect malware through even the most extreme of obfuscation techniques.
Our persistence agent analyzes persistence mechanisms such as services, scheduled tasks, registry run keys, and other auto-start locations provided by Windows that can be used by malware to establish a foothold. Huntress focuses on finding these malicious footholds, leaving complete system scans and network monitoring to preventive security solutions. This strategy intends to find persistent malware that has slipped past these other solutions.
Since Huntress looks for footholds and malicious processes, it does not scan every file on the system or monitor network traffic.
Ransomware
Huntress can detect early signs of Ransomware through its Ransomware Canaries feature.
Ransomware typically does its malicious activity and deletes itself, often without creating a foothold. Sometimes ransomware will encrypt a desktop.ini file within a user’s startup folder or place a ransom notice that opens when the user logs in. Huntress will flag these "footholds."
It's important to understand that Huntress is not a prevention tool--it is a detection and response tool. Humans on our end review all of the data from your machine and create incident reports based on Investigations. This ensures you're receiving actionable intelligence with remediation instructions.