Understanding Huntress Investigations

Team: Huntress EDR
Product: Investigations
Environment: Huntress.io portal
Summary: Threat Analysts will perform manual investigations which are used to analyze and review potentially malicious footholds and to verify the authenticity of software in order to help prevent false positives. These investigations will be updated and classified as either malicious or benign.

Huntress leverages automation to identify legitimate and malicious persistent applications. However, despite all the fancy algorithms/machine learning/cool tricks up our sleeve, sometimes automation fails to make a clear distinction if the activity is malicious or benign. Rather than send false positives to our partners, Huntress Threat Analysts (humans!) step in and perform manual investigations to provide additional scrutiny on potentially malicious footholds and to verify the authenticity of installed software.

During an investigation, a forensics expert will analyze the Autorun to determine the correct classification for the persistence mechanism and binary. When an analysis is complete, the analyst will resolve the investigation and—depending on what was found—may change the classification to reflect its actual status.

In this article

1Which Host was Investigated?

2What Happens if an Autorun is Malicious?

3Where will I see Investigations?

4Why Does Huntress Investigate Known Good Software?

Which Host did Huntress Analysts Investigate?

At the moment, we don't currently track/show which hosts an investigation applies to. However, we're currently experimenting with new designs that will display this data. Curious why?

Investigations are performed against all of our partners' normalized data. As a result, a single investigation often applies to dozens of Huntress accounts, organizations, and the agents within them. This host-agnostic investigation benefits the entire Huntress community rather than a single host. When Huntress analysts close an investigation, our software looks up every Huntress account/organization that is impacted by the investigation and links the investigation to the dashboard (but not to the specific hosts).

We've since learned that our partners care about which host an investigation applies to so we're knee deep in the development of this improvement =)

What Happens when an Investigated Autorun is Malicious?

If the result of an investigation changes the classification of an Autorun to malicious, a new infection report will be created for every host that has the malicious Autorun. Once the infection report is completed, it will be delivered as an incident report through your configured integrations (see Managing Huntress Integrations).

Where will I see Investigations for My Organization?

You can see the current number of active and resolved investigations for your organization on the Organization Dashboard. You will also see the total number of all time investigations on the Dashboard.

Why Does Huntress Investigate Known Good Software?

You may have noticed investigations for known good software like Windows Defender, Malwarebytes, Sophos, etc. and wondered why Huntress investigated it. The answer is we use investigations to track and categorize these applications just like we do malware.

As you probably know, keeping up with all the latest versions of applications is difficult. We do our best, but sometimes there is a version that was released before we were tracking it, or we don't have the particular version of the application, or it is an application we just don't have access to (e.g., specialty applications for dental offices, legal firms, etc.). In all these cases we use an investigation to verify the application is what it purports to be and categorize it.

So if you see an investigation was performed, it doesn't always indicate there was something suspicious on a host. However, if we investigate something and determine it is malicious, you will receive an incident report.