 Tom here from Orange Systems and we're going to talk about Hunter's Slabs. I've reviewed this product several times before, but there's new features and I wanted to review it kind of what it looks like here in 2022 and talk about the host isolation, the managed AV and not their managed AV, the fact that it can manage Microsoft Antivirus for things are really cool feature. There are process insights and how an incident looks right now in 2022 because yes, I created an incident for part of this demo that I'm going to be doing. And I've got everything time indexed down below. So if you want to jump right to the technical part, no problem. Everything is nice and indexed. You can find what you're looking for. I want to start with though, who's this video for? And who should watch it? Well, anyone can watch it, but would it be interesting to you? Well, if you're an end user, sorry, this isn't a product really designed for end users to purchase and load on their computers. This is a product designed for companies like myself, the managed service provider space or external IT who want to deploy this a client. So it gives us a cool dashboard, which you're going to be able to see. And this is how we can see cybersecurity incidents with our clients or get the reports or incident reports that we need or do some of the fun features we're going to talk about. This is also for internal IT teams. If you are in charge of an organization, you work internally there and you're looking at a tool to deploy across your organization. Absolutely Huntress has many of those type of clients that just buy it for their individual organization. So it does what they have what we would call multi tenant support so we can have all of our clients and have nice separate dashboards to drill down to any one client. Or if you just want to buy it directly, that's ideal. It's just not for end users to purchase directly in case anyone's wondering, but I get that out of the way. Now, why do we use Huntress? I want to talk just a little bit about and it's because they have a lot of people involved. And what I mean by that is actual people understanding what these threats and what the threat landscape looks like. Huntress is essentially a tool that doesn't just throw the word AI and the buzzwords around. They actually go through look at the incidents and I say they as in human beings with fingers on keyboards, threat ops engineers that are working there that actually take the time to understand the threat, understand how the incident got there and are able to provide real time help real time understanding and then write up an incident report and we're going to show you how these remediation reports look. They were human intervened and this is important because false positives are absolutely a horrible problem in the industry overall with cybersecurity. It causes a lot of decision fatigue. If you end up chasing a lot of things that weren't really real and you go, ah, it's another red light on a dashboard at some point, you never want to get that way. You don't want to feel like, oh, this is probably not an incident. It's probably just another piece of noise. And this is where Huntress adds that extra high fidelity information pieces that we need in order to make a decision. So if we have a false positive with our AV tool, because as I said, Huntress itself is not an AV tool. Huntress is a managed detection response tool. It can work in conjunction with AV. So your need when you're doing an investigation, multiple pieces of information, that first piece of information might be an incident that came and the second piece might be Huntress going, that's a false positive because there's nothing in there. Huntress doesn't trigger alert. This gives us the insight as in my team, the insight we need to determine whether or not something's a real incident when we go to investigate it or just an update from some product that decided to get flagged by the AV vendor because reasons. This is one of those very helpful things and one of the reasons we continue to use Huntress as part of the cybersecurity stack that we offer our clients. All right. Now, last thing I want to mention to Huntress and I'll leave links to all this. There's a couple of blog posts that kind of talk about a little bit more in depth about how they participate in the community. And this has been, well, how I actually found Huntress to begin with. And one of the reasons I really like staying with them as a company is their involvement with bug bounty programs donating to the Dutch Vulnerability Institute, participating in these tradecraft Tuesdays, giving out a lot of information. And of course, when there's been large incidents, like the Cassay incident of 2021, well, they were there publicly disclosing everything they knew about it because many Cassay customers were also Huntress customers. So they offered a lot of insight very publicly to help anyone that was in this really bad situation with one of the largest massive ransomware attacks that we had seen. This is one of those things where Huntress doesn't just say, we're going to be the security for the 99% or raise the bar for security. They don't mean for themselves or for customers. They mean for the community. Their community involvement is huge. I have participated myself with their community programs like their tradecraft Tuesday and just online events they've had, their hacking events that are online where they just give out a lot of education stuff. And this is something that's near and dear to me because, well, I make YouTube videos and talk a lot about how to secure things, how to set things up. And this is just me giving back to the community myself and seeing other larger companies than myself doing it. Why not join and participate with them? That's one of the things that I just really enjoy and why I have such an alignment with them as a company. Now that being said, this was not paid for or endorsed by Huntress. I'm a customer of theirs. I pay to use their product just in case there was anything unclear about that or my relationship with them. All right, now it's time to dive into the technical aspects of this. Now before we get to the dashboard, I wanted to start at how to install Huntress and what it's supported on really straightforward from an install standpoint, download the Huntress agent installer, run the installer account key organization key, and then you can add tags like demo system like I did here. It does have a silent install option. But obviously the most ideal way if you're a manager's writer such as ourselves and using some of the RMM tooling, they do support integration into a lot of different systems from Atera continuum, connectwise, Datto, Kaseya, Microsoft Intune. And so yes, you can even integrate this within the installer of Intune, Ninja RMM, SolarWinds, Syncro and so on. Of course, you can just do it via PowerShell with Active Directory integration of note supported operating system requirements, Windows Pro Education Enterprise, Windows Home, Windows Server. The managed AV is not available unless you're using Windows Pro. And ideally you should be using this if you're dealing with businesses. This is mostly what you're going to encounter. But it's just something of note that if you're trying to deploy this from a management standpoint, that if you do have some Windows Home systems, the managed AV is not available. But the other functions such as external recon, ransomware canaries and the footholds is available. Host isolation also is being pushed via policies that are not available in the home version. So this little clarification there for those of you wondering. Now we're going to start here in a demo system that I have set up on the dashboard. This is my organization Lawrence Systems. These are some internal machines that we have because well, we always like testing and making sure we understand how these products work. This is some of the internal tests we were doing specifically in how we get some reactions of playing with this. If I go up to the top, I would be able to switch to the dashboard. It shows all of my clients, but I'm not going to do that. Can't really reveal all the client names in there. But yes, it does offer multi-tenancy where we can manage every client individually. And I mentioned a few times like how it groups things and organizations because it actually has a few features that are per organization to give you some insights into the different binaries that are running on there. Now to make this a leisure read, I'm going to zoom in here. So some things may look a little funny, but I want to make sure people can see the things around the screen here. We clicked on my test win system. And you can see the internal IP address of 192.168.13 and then the external IP address, which if you look this up, you'll find it belongs to a VPN provider, privacy VPN, and that is the external IP they see. This is how the external recon works. It'll look to see what ports are open and does have that as something it monitors so we can let you know the different external IPs that these devices beacon from and give you any external recon information it may have about there. It's actually a really nice feature they added. And I think it's just cool add-on because it's not too difficult on their side to do. They just go ahead and list out the IPs that they see things coming from and what ports might be open on there. And well, that's can be insightful sometimes, especially if you're not expecting any ports to be open. Now, last update request last seen what version it's on and the system auto updates the version. So that just kind of rolls out. Nothing you have to do, but at least you'll be able to see what agent is running on there. The architecture last survey it did and the isolate host button. We'll do a demo of that a little bit later and talk about what that is. Now we can look at the auto runs and these are all the things set to auto run in here. None of them are flagged as malicious or suspicious. And here's all the ones being monitored. And you can see things like, you know, Google Update Task Manager. And let's go ahead and click on the details of that. First seen five months ago monitored and what these classifications are is internal classifications that the Thread Out teams does to understand what this is, what this version is. Obviously Google Updater exceeds five months ago, but it's one that particular binary was updated and their signature for it because, well, that eventually gets back end updated from Google and on these systems. So you can scroll through, look at the different name, the task, what it's doing. Drill deeper down into the binary itself. And this is where that grouping of organizations seen on these agents, it specifically means seen on these agents within this organization. So here's a couple other ones that are in here. We have our network pun computer and Jeremy test wins and smiles. This same Google Updater was seen on each of these. Now this is very helpful when you have clients with line of business applications where you may see it deployed and know which machines it's on. This is actually kind of interesting insight when you're doing on a pert organization level like that. It also gives you the hash of the files, a couple of different methodologies, so you can understand and dive deeper into understanding these binaries. Just some nice things. Also virus total results. This is another feature they've added in there. So you can just click this. And also dive deep into virus total and go, all right, what is this thing? Is it a common popular item? Obviously it is. It's the Google Updater. So this is a lot of easy, simple content that when you're looking around and trying to investigate what's on a system or trying to figure out some things, not what you want to be on the system. These are just really simple things that Huntress has built in there to make it easy to investigate. Now for any of these, you do have the ability to search so you can filter down quickly to different things. You actually switched to all put in the Google in here. There's a different functions that Google has in there and date added category details just like before. Now Process Insights is a new feature that they have on here. We're going to show you the other system where I did an incident to get some detection and get some response on there. And then we can look at the processes here. Process Insights giving you insight into how a process behaves. It's an interesting feature. And what this does is gives you better insight into what the process is trying to do. A little similar to a behavior analytics, but it's digging into the commands that's being run. So you may see something that was spawned by CMD EXE or one of the other things like SVC host. But then what is it trying to do? And this is often an evasion method or sometimes in there's a good write up that Huntress has a leave link down below for the VMware Horizon incident, which they did a lot of good analytics and posted on this. It offered some insight of how their process analytics was able to see the different processes being spawned on VMware Horizon servers and understand what new attack factor was being deployed. And this is often what happens when there's a large scale attack. It hasn't been seen before because it's a very new attack factor and it was kind of related to how VMware had implemented a log 4j. And because someone was able to pivot and get into VMware servers with it through that, being able to see that and have the process insight to then start making decisions based on that to see it was a real threat is why they added this feature. This is a relatively new feature to Huntress, but I think it's really interesting and I actually was able to trigger some stuff on the process insights playing around with it. And that's the demo part we're going to get to shortly here. Now back over to here, we have binaries below and this is just listing all the binaries it finds on the system. And yes, there is just pages and pages of this so we can look at the different binaries. And once again, all these pivot back and forth between each other, a lot of these are just different perspectives on some of the same data, whether you look at it from an auto run, which ones are running, which ones are just existing on the system. But these are all the analytics things that this tool has. Now, the antivirus is really cool. Now, I've forgotten and left a couple of things on here. So this to you see next to it is the number of antivirus detections in the last 48 hours, because I didn't have the managed AVN now that I do, I had something I left in the downloads folder that I was going to deploy on here. And it did delete it. Now for all the problems, so to speak, in the past with Microsoft Defender of it not being the best AV system, they've actually revamped it a lot and it does a really good job and it detects quite a few things. But it does not lend itself to being easy to use. And that's where this managed AV function comes in. You currently can see that the antivirus policy status page we're on general everything's green across here exclusions and each piece is compliant. What that means is and we'll start over here at configure, you can go to inherit settings as in whatever settings you already have for Microsoft AV, you can audit the settings against all these different options right here that we're going to show, or you can say enforce and in the context of this, this is a independent system that doesn't have anything else telling it to manage Microsoft Windows Defender. So there's not any tooling setup to manage it, it's just kind of hanging out on the computer on its own. It's a Windows 10 Pro. So we're going to go ahead and set it to enforce and let Huntress do the management up there. Now when we go to the settings, the consent to visible or hidden suppressed notifications, you have an option to add exclusions if you want. When you want the scans to occur, and when you want the signatures now, we're going to change the signatures currently to four hours and hit save. And now we see we have a policy status of signatures are not compliant. So we have a one next to it. And what it's telling you is these interval policy setting is not four hours current host setting is six hours. And because we have it in enforce mode, it will push that setting out and over time it will go ahead and update the system. Then the system will do a survey, it will understand it and it'll update this. And now it'll be back in sync. This is how you can change settings. I really like that they added this because it just makes things a lot easier to manage with the Microsoft AV. And this is just something included within Huntress now. The last thing I'll mention this menu is the monitored files. They have set up ransomware canaries essentially inside of each system that you deploy Huntress on unless you turn the feature off. I actually like this on. It's nice because it's one more indicator that if something triggers if something messes with these files and this is something obscured from the user so it shouldn't see it but ransomware tools will just you know go around running around encrypting things they find on here. So if something touches these files that the user shouldn't be touching that once again is one more trigger point that can notify that there's something going around alert the threat ops team and then the investigation process starts. Alright, we're going to switch over to this agent here called Huntress test. And it's the same dashboard Windows 10 Pro it's a different computer because this one I actually took the time to go ahead and start deploying some things on. Nothing's actually an auto run. So nothing will assist suspicious here. But under process insights there's plenty of suspicious stuff going on. And you can see I'd run some Mimi cats on here. I did a registry dump. And this is one of those behavioral things that the process insights can really pick up on because you're seeing that this was just spawned by PowerShell. And then a series of PowerShell commands were run in order to pull this data down. And this is where it's that behavior again that we're looking at to say, All right, this isn't just a process or something on the system. Now, unfortunately, I also, and this is my fault, I forgot to turn off the first time I ran it. So there's a bunch of things in here, specifically, all the different tools by atomic red team that I had loaded. I had turned off Microsoft Windows Defender to hopefully evade this. And then I forgot that I left the policy on. So even though I went and turned it off, the policy setting inside of Hunter's turned it back on and it said, Look at all these things that we found here. So Defender actually does, you know, find these. I thought it was weird that it called some home to say potentially unwanted, but then other ones which are like auto KMS and a few other things on here were all part of this atomic red team loader that I'd set up. It picked up all those children back door and some exploit from shell codes. This is all different things that got flagged. Now, of course, that means hunters did see this and did create an incident report on here. So now we can look at the incident reports. And because I was running a series of tools, there's a series of incident reports on there. So it says what service did it? You can see how it's highlighted here. And we can go click on it and read through the incident report. Now this is really important. This was actually looked at by someone at Huntress. This wasn't just an automated. We sent a report over to you. They realized then they seen this like this is tools on there. Even though the systems labeled Hunter's tests, obviously, there's people that reviewed all this. And once it went up and someone seen a bunch of alerts coming off one system, there's definitely a lot of people that got involved that reviewed this looked at it made sure what need to be done remaining footholds. And this is that managed detection response. This is the they detected something. So all the different things I had done such as turning off the AV, all those things were noted put in here. And so please review this incident report and you go down and even tells you this is one of the things I really like about these instance reports. More information on the technique of what was being done is actually included in report. So they very quickly assemble this information when they see the attack. So you have a lot of insight into what happened even if you're the one causing it. And I think this is just great that each one of these is a link that we can dive into and we have had incidents, you know, just the nature of running this product for years where clients have got something on their computers, something's happened, or especially when you're onboarding a new client. Sometimes you discover things that the client didn't even know they had. And these are just times when we've had to go through the reports. They are very, very helpful and very good at helping us understand exactly what's going on. Now all this is sent as an email as well can be integrated into different alert systems that you have and integrate into the tooling that you have as well to help manage the alerts internally. So there's different processes in each side that I'm just focusing on the Hunter's dashboard. So you can see how the alerts are in here. But yes, they can be sent to you via email and external methods of communicating this. Now they also because they can do the antivirus detection. Here's a alert that's specifically for the antivirus detection. And what this does is have the and it depends on the type of alert. But if it's possible to fix something via the alert, you have the remediation plan. And this is nice, especially when you have something just minor on the system that's not like it's a incident of ransomware or something severe, it's a minor incident. So they have these options to remediate this specific one because they see these different tools right here to like, all right, do you want to remediate these? They were found and you can say approve, and then it will go through remediation is approved and you're telling the tool to automatically go in and delete those. Like I said, this is a backup, so to speak, the manager detection response that they do is in addition to your other tools on there, but they still offer this remediation. And it's one of the reasons we really like the way Huntress looks at things on there. And, you know, like this is just for getting rid of this Windows activation bypass KMS and the different files that found. So yes, that was part of this download. We ran the remediation. Now it'll be deleted. We can, you know, close out that incident on there. So now we're going to go back over to our Huntress test machine right here. And the IP address is 192-168-40.145 internally. It has a gateway of 192-168-40.1. Now, this is really great. This is the host isolation with the goal being to prevent lateral movement. Now if something gets on that system in this particular system, the next concern is what else will this threat actor do if they're on here? Well, they move laterally. Was this a machine that had compromised credentials on it that would allow them to elevate their privilege to somewhere else or maybe it already has privileges and things are just going to go really bad really quick because they're going to pivot to somewhere else on the network or reach out to a server where they're going to download more tools. So once you see something compromised on there, this allows you to jump in the action in terms of isolating the host, locking it down, disconnecting it from the internet. Now, this is something that Huntress can do in certain situations. There is a chance they may contact you if you can't contact you, but they know this is going to go bad really quickly. It may be worth them to take the system offline. The good news is you can take it on and offline from here. Once you take it offline, it only communicates with the Huntress servers and goes into a full isolation mode and not just isolated from the internet, but isolated from the local network. What we're going to do to set this demo up is I open up Google News. So I've got a lot of connections in the background going. I have the test and we're just doing a PowerShell test connection to go ahead and give me an idea of the ping times on this. So here we are ping in the local gateway 40.1 and it's responding. I left the timestamps on there so we can go through exactly how quickly this isolates the host. So we're going to go over here to the Management Council. Actually, first we'll show in PF Sense here. Here's all the different connections that I have established. It's behind this particular PF Sense. You can see that zoom in a little bit. You can see that same host IP right here. You go here. Isolate Host and we're going to tell them why we're isolating it. It's a YouTube demo. I see and also make this host reachable from partner network administration. Only traffic from hunters.io will be allowed in, out, during containment. Are you sure you want to isolate this host off the network? Isolate Host. Jump over here as quick as we can and we see 228 is when we isolated the host. Let's see how many seconds it takes before that host isolation kicks in. And here we go. It took probably 15, 20 seconds it looked like. So it's at 229 it stopped. It was like 228 in a few seconds when we started and now it's failing. Now let's go ahead and take it out of host isolation. It's still pending because it's host isolation has been scheduled by Tom Lawrence at 28 and 35 seconds. So yes, less than 30 seconds later this host was isolated isolation containment message YouTube demo. So we know why we did it. Now it's going to take a second it's contacting the host the host contacts here. This page will get refreshed and updated. And then from there we can take it back out of isolation. It's still in pending mode and now it's isolated. Now we can go back and release the host. So the host is still timing out connections right here. And we're going to go ahead and release, release the host. All right. Your host release has been scheduled at 1829 and that only took a few seconds. So that was pretty much immediate there for unisolating hosts. This is a great feature to lock it down. And it doesn't just lock it down except for the internet. It can't even paint the gateway. Other devices can't talk to this. It is isolated with a minimal exception of being able to still communicate with the Huntress Management dashboard. This is really good in case you go into a panic and do it either accidentally or because you're worried about something and gives you some time to investigate. So that host just kind of goes dark, but you can still bring it back up while you investigate. I think this is a really cool feature. And I love how well it works. I've been playing around with it and pulling it up from PF Sense and seeing all the connections. And it will actually some of these connections are now stale stated. But if you leave it in there while you watch just all the connections go stale, it doesn't allow any of the states to stay active. So one of the tests I want to do from a network engineering standpoint and really look at it was it has all these connections. I was wondering if any like active TCP states would stay or you had to do anything else. Nope, it kills all active states. They all go into basically expired mode and all has to be reestablished, which actually does mean when you first do it and it should work now, but it takes sometimes a second before the I've had the page pause a little bit because it says some stale connections when you go back and forth. But it does actively kill all sessions, TCP, UDP related and isolate this exactly as expected, which this is really important, especially if you know where you are in that panic mode of something's attacking this computer or someone has gotten access to the system. Let me just lock it down really quick. So those are my thoughts on Huntress here in March of 2022 it's a product we've been using for years and plan to continue on using. That being said, even if you're not interested in this product, if you are interested in cybersecurity, highly recommend joining their tradecraft Tuesdays, join those events, look at the different things that Huntress puts on, read through the reports they have on their blog post. No, no membership required, you can just go through and read them. Their insights into what's going on in these small business and MSP market space is really interesting. Their write ups are very technical to understand exactly how threat actors are doing what they do. So just from a cybersecurity learning standpoint, I love that they publish all this very freely because there's plenty of independent researchers doing things, but them as a company, they do a lot of great work publishing it out there and encouraging others to participate in this. Because ultimately, it's not that any of these companies should have any of this data secret, the better we share all this intelligence about how threat actors are exploiting things is how we get better at defending them. So even if you're not a Huntress customer, as I said, I think it's just pretty cool to go through and read through all the technical reports they have. Because as I said, that's even how I met them was like, wow, these people really have some good insight into what's going on and are willing to publish all of it and talk about it, which, you know, that really piques my interest here. And hopefully it piques a lot of your interest as well, it's definitely a fun topic. All right, leave comments down below or have a more in depth discussion over on my forums. Thanks. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you like to hire a short project, head over to laurancesystems.com and click the hires button right at the top to help this channel out in other ways. There's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly. So check back frequently. And finally our forums. Forums.LauranceSystems.com is where you can have a more in depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.