Rapidly prioritize thousands of artifacts
- Bad items are related to past intrusions and should be the first clues you look into
- Suspicious items could be the attacker trying to blend in and are your 2nd priority
- Good items aren’t worth your precious time.
Leverage comprehensive threat intelligence
- Malware scanning from 40+ engines
- Yara to integrate cutting-edge rules
- Heuristics that experienced responders look for, such as anomalous processes
- Import IOC threat intelligence lists.
Get context on the clues
- Use the Timeline to see what happened before and after a given event
- See what other files are stored alongside malware and other suspicious files with File Explorer
- You can easily pivot data types to learn about related artifacts, such a network connection associated with a file.
Scored artifact details
- Files with malware based on results from multiple ReversingLabs engines
- Known bad files and other items based on IOCs and blacklists
- Windows processes that were tampered with by verifying parent hierarchy and owner
- Programs and scheduled tasks that were run out of uncommon locations
- Startup programs, services, or drivers in uncommon locations or that are not signed
- Processes with names that are too similar to normal Windows processes
- Processes that could have been exploited and are now running command prompts
- Active network connections to uncommon remote ports
- Listening ports on uncommon local ports
- Remote desktop connections with suspicious users and settings
- User accounts with abnormal behaviors and failed logins
- Executable files hidden in NTFS Alternate Data Streams
- Executable files that have suspicious structure and settings
- Encrypted archive files that could be from data exfiltration
- Known good operating system and application files based on MD5 hash values and NIST NSRL and ignore them; this reduces the amount of data that needs to be analyzed and reviewed
- For more details, including a complete list of scored artifacts, contact us.