Product: Managed Endpoint Detection and Response (EDR)
Summary: Security Operations Center Workflow for Persistent Footholds
Huntress monitors all autoruns on machines with a Huntress agent installed. Each autorun (or foothold) is reviewed by our automated processing to determine if it is something we have seen before. If a foothold/autorun is new to the Huntress database, a Security Operations Center (SOC) Analyst begins a "review" which could lead to an investigation and even an incident report.
Automated Analysis - Huntress automatically classifies known good and bad software.
Human Review (something new to Huntress) - a SOC Analyst will take a look at the new software (autorun) and determine if it's good or bad
Investigate - Investigations are done by SOC Analysts when suspicious autoruns are identified. They will often download the suspicious files and pull them apart to determine what the software is doing.
Report - Should a SOC Analyst's investigation (or automated analysis) yield something malicious, an incident report is generated. A SOC Analyst reviews the report, adding necessary Assisted Remediations to remove the foothold, before sending the report to your integrations.