Manage Endpoint Detections
Endpoint Detection enhances the Insight Agent's capabilities to detect malicious activity on your assets and provides you with visibility into the specific action that triggered the detection.
As a Managed Detection and Response (MDR) customer, you can use this to monitor changes to assets that have the Insight Agent installed.
Upgrade with our Ransomware Prevention add-on
If you would like to be able to automatically take action on threats that have been detected with Endpoint Detection, you require the Ransomware Prevention add-on. Contact your Account Executive for purchasing options.
Group Details
In Endpoint Detections, all assets being monitored in your organization using Insight Agent are included in the Default Group. You can configure Exclusions and Security at a group level for all associated assets.
Endpoint Detections Policy
The Endpoint Detections Policy is composed of Detection Engines, which are designed to detect specific threats and instruct the Insight Agent. The Endpoint Detection Policy tab provides you an overview of actions taken by the detection engines. For Endpoint Detections, in all cases this will be Monitor and the Priority is Low.
Detection Engine details
Detection engines monitor your assets for ransomware and other forms of malware that use common types of evasive techniques. This section provides a high-level explanation of what each of these engines detect.
Memory Injection Attacks
Some malicious software can inject and hide itself in a legitimate process.
More information
Why it’s used
Previously, malware attacks typically involved malicious processes, which either carried out the attack or downloaded a file-based payload with malicious code. These processes were found by threat analysts and security software that listed running processes, distinguishing suspicious processes from legitimate ones.
How it’s used
Malware authors are now aware of this countermeasure and have created a way to circumvent it, using techniques known as process injection or memory injection.
Process and memory injection make it harder for security tools to detect malicious processes. These techniques run malicious code in the address space–the range of valid addresses in-memory, which are allocated for a particular program or process–of a legitimate process or a sensitive OS process. Sometimes, malware also unpacks malicious code into its own process as a form of self-injection, creating a skeleton process that is already present in memory.
Forensic information available in alerts
In addition to the standard details, the resulting alert provides information about the destination process and the malware targeted for injection. It also provides a list of all loaded modules (DLLs) in the process that triggered the alert.
Living-Off-the-Land Attacks
Different from classic forms of malware, a Living-Off-the-Land attack attempts to cause damage by misusing tools that are built into the system.
More information
Why it’s used
Living off the land (LOTL or LOL) is an evasion technique that takes advantage of trusted system utilities, libraries, tools, and components, which are native to the operating system. The operations that this software performs appear to be legitimate, even though they are performed on behalf of a threat actor.
How it’s used
Malware uses LOLbins to perform operations, which appear to be typical. For example, malware can perform lateral movement, download malicious artifacts, and move to another stage of attack without triggering an alert. These operations can use trusted utilities and components, including those that are digitally signed.
Forensic information available in alerts
In addition to the standard details, the resulting alert provides information about the executed the child process.
Malicious Document Attacks
Malicious documents can sometimes misuse features such as macros, scripts, and built-in tools.
More information
Why it’s used
Threat actors use documents to lure victims through phishing or social engineering attacks, allowing them to deliver malicious code and gain a foothold on a machine. Traditional antivirus (AV) tools and threat analysts typically detect malware by comparing the hash of the document file to the malware hashes in their database.
However, it’s more difficult to detect malicious activity in popular software that’s used to open these documents, such as Microsoft Office or Adobe. This software is often misused as an evasive technique, carrying out the document’s malicious code on its behalf while remaining undetected, since the software is considered legitimate.
How it’s used
Malware uses legitimate document software to run macros, open script interpreters, obfuscate malicious code, use add-ons and extensions, download scripts, execute another executable program, and more.
Forensic information available in alerts
In addition to the standard details, the resulting alert provides information about the command that executed the child process.
OS Credential Dumping Attacks
Attackers or malware can sometimes attempt to harvest operating system credentials to gain access to an environment.
More information
Why it’s used
It takes multiple steps for ransomware to be successful, including shutting down security controls and accessing restricted information to hold for ransom. Spreading through a network requires lateral movement, where attackers can attempt to dump credentials, allowing them to obtain account logins that enable their malware to move laterally.
How it’s used
Adversaries might attempt to access credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS). They can deploy tools that allow them to extract this data, exploit legitimate applications and processes, and use LOLbins to dump sensitive, credential information.
Forensic information available in alerts
In addition to the standard details, the resulting alert provides information about the sensitive asset where credential harvesting was attempted.
File and Process Manipulation Attacks
Malicious software can attempt to manipulate other software applications and processes to gain access to an asset’s internal files.
More information
Why it’s used
Traditional antivirus (AV) tools and threat analysts typically detect malware by comparing the hash of a file or process with the malware hashes in their database. Additionally, file systems often require dedicated permissions or access controls.
Making too many changes on a file system can trigger existing endpoint security controls, which block malware activity. However, legitimate programs with direct access can read and write files directly from the drive by analyzing file systems. These programs can access sensitive or vulnerable files in a way that doesn’t raise suspicion.
How it’s used
To avoid detection, adversaries abuse programs that already have direct access to file systems and can read and write files directly from the drive. These programs can be used to access sensitive files and then read, write, or execute on the malware’s behalf. This technique can bypass Windows file access controls and file system monitoring tools.
Forensic information available in alerts
In addition to the standard details, the resulting alert provides information about the path that the process attempted to reach.
Data Encryption Attacks
Malicious software, particularly ransomware, can introduce processes that silently encrypt files.
More information
Why it’s used
Encryption occurs often in a Windows OS and is not necessarily malicious. Many built-in and third-party tools use native OS functions and methods of encryption to meet their functional requirements. These encryption methods, which are usually unmonitored, are often time and resource intensive.
Encryption makes it harder for endpoint security tools and threat analysts to identify ransomware as malicious. However, once the ransomware is detected, a signature is immediately created, preventing further infections.
How it’s used
Malware authors are aware of this technical challenge and have created a way to avoid it, using hidden or nested threads that allow them to execute their malicious code quickly while remaining unnoticed.
Forensic information available in alerts
In addition to the standard details, the resulting alert provides information about the process that initiated the attack.
Assets
The assets tab provides a searchable overview of all assets in the default group for your organization, including details on the hostname, host status, operating system, when communication was last received from the asset, and IP address.
Exclusions
From Exclusions, you can create exclusions to reduce alerts generated by legitimate processes or benign behaviors. The Insight Agent will not alert on excluded data.
Exclusion types
While you may want to create some exclusions proactively, you may also need to create them after you receive an alert in InsightIDR about benign activity.
When creating an exclusion proactively, without the context of a given alert, the available exclusion types are Path and Hash. However, when creating an exclusion from an alert you received in InsightIDR, the Insight Platform will provide the applicable exclusion type based on the alert type and associated Detection Engine.
That means not all exclusion types are available for every alert. In addition, in some cases the process that triggered an alert is a container, sensitive, or generic process. The Insight Platform may adjust the applicable exclusion for these processes to give more granular exclusion. This is intended behavior to avoid security exposure.
Criteria you can exclude
You can exclude these types of detectable criteria from the Endpoint Detections:
- SHA256 hash values
- Paths - Allows you to exclude a file path on your assets.
- This exclusion type is useful if your assets run software or services at a specific location and you want to ensure that Endpoint Detections does not impact how these tools operate.
- Extensions - Allows you to exclude an entire file type.
- This exclusion type is useful if your assets use a specific file format regularly that you don't want Endpoint Detections to scan.
- Process - Allows you to exclude an executable (
.exe) process path on your assets. - Certificate - Allows you to exclude a digitally signed process by its certificate details. You can also choose the level at which the process certificate details are identified:
- Publisher - Any executable process signed by the publisher information found in the certificate is excluded.
- Product - Any executable process signed by the publisher and with the product definition found in the certificate will be excluded.
- File name - Any executable process signed by both the publisher and product and file name will be excluded.
- Script - Allows you to exclude a specific script or command that a process is attempting to execute.
- File Access - Allows you to exclude specific directories or files that a process is attempting to reach.
Supported criteria for detection engines
Depending on the alert type and context, this table indicates the attributes that detection engines are monitoring and the types of exclusions that are allowed:
| Detection Engine | Path | Hash | Process | Extension | Script | File Access | Certificate |
|---|---|---|---|---|---|---|---|
| Memory Injection | X | X | X | ||||
| Malicious Document | X | X | |||||
| Living-0ff-the-Land | X | ||||||
| OS Credential Dumping | X | X | X | ||||
| File and Process Manipulation | X | X | |||||
| Data Encryption | X | X | X |
Configure an exclusion
- In your Agent Management experience, click Endpoint Detections > Default Group > Exclusions.
- Click Create Exclusion.
- Select the operating system.
- Select the exclusion type.
- Based on the type you selected, enter a value as prompted by the example shown.
- Give the exclusion a description.
- Click Save when finished.