Team: Huntress EDR
Product: Persistant Footholds
Environment: Huntress portal
Summary:Huntress Threat Operations Workflow
Huntress monitors all autoruns on machines with Huntress installed. Each foothold is reviewed by our automated processing to determine if it is something we have seen before. If a foothold/autorun is new to the Huntress database, a ThreatOps Analyst begins a "review" which could lead to an investigation and even an incident report.
Automated Analysis - Huntress automatically classifies known good and bad software.
Human Review (something new to Huntress) - a Threat Analyst will take a look at the new file and determine if it's good or bad
Investigate (something suspicious or classification of goodware) - Investigations are done by Threat Analysts. They will often download the suspicious files and pull them apart to determine what the software is doing
Report - Should a Threat Analyst Investigation (or Automated Analysis) yield something malicious, a report is generated, a ThreatOps Analyst gives it one more review before sending off an incident report to your integrations.