AC-Hunter Features

Features of AC-Hunter

AC-Hunter Highlights:

  • Our core focus is identifying compromised systems calling home to their command and control servers
  • We’ve automated and streamlined the techniques used by the best pentesters and threat hunters in the industry
  • When a backdoor is identified, AC-Hunter can alert you via Slack, the SIEM of your choice or a centralized logging server
  • There are no agents to install. AC-Hunter can equally protect desktops, servers, network hardware, and IoT devices
  • We have been awarded over 24 patents for our software

The AC-Hunter Dashboard

Start focusing your valuable time on the systems that need your expertise with AC-Hunter.

You no longer need to dig through millions of log entries to identify suspect systems. We are now doing the first pass of the threat hunt for you and providing a threat score for each of your internal systems. The higher the score, the more likely the system has been compromised. All in a single easy-to-read dashboard.

We also identify what specific threat activity was observed that generated the score. Any of these flagged systems can be researched in depth using other modules within AC-Hunter.

AC-Hunter Prioritizes and Color Codes Your Systems to Identify Which Ones Are Most Likely Compromised.

Simply Start at the Top of the List.

AC-Hunter detects malware by targeting its network communications. Rather than analyzing the host itself, where malware writers can leverage a wide range of evasion techniques.

AC-Hunter scrutinizes your network traffic for signs of a compromised system. It does not matter if the data is encrypted or using non-standard communication ports nor does it matter if the compromised system is running Windows, Mac OSX, Linux or running on an appliance.

AC-Hunter can sort through millions of network connections and produce an action item list of the system most likely to be compromised.

A System Frequently Calling Home to a Command and Control Server Is a Clear Indication of a Compromise.

Want to dig into the details of the communication session to understand what makes it suspicious? AC-Hunter provides a wealth of information to support your threat hunting activities. For example, one telltale sign of a compromise is a system that frequently communicates out to an attacker’s command and control (C&C) server.

AC-Hunter produces easy to read graphs to make this activity stand out from your normal network traffic.

AC-Hunter Analyzes a Number of Communication Traits to Identify the Likelihood That a System Has Been Compromised.

AC-Hunter uses 24 patented processes to analyze timing and data size characteristics.

AC-Hunter will quickly segregate normal communications from malicious communications. If you choose, you can manually review the data. This is not a requirement, as AC-Hunter will automatically show you which of your systems are behaving badly.

Beacons Module

Today’s advanced backdoors are extremely hard to detect. Simple signature detection cannot detect encrypted and malleable Command and Control (C2) sessions.

Rather than focus on signatures for known bad actors, AC-Hunter detects consistencies and patterns in the behavior of backdoors. How? It utilizes a mixture of detection techniques that rely on attributes like an interval of connections, data size, dispersion, and advanced algorithms.

But using only one way to detect advanced backdoors is not an effective detection strategy. All the attacker would have to do is change one aspect of the C2 traffic to avoid detection. To address this, we allow the analyst to filter and re-sort the criteria they are looking at on the fly!


AC-Hunter can send log entries to Slack or any Syslog compatible system (Splunk, Arcsight, QRadar, Sumo Logic, etc).

Alerts tend to fall into one of two categories, either they trigger constantly (in which case you learn to ignore them) or they are extremely cryptic (in which case you don’t understand that they need to be investigated).

We alert on systems that have a consistently increasing threat score. So if you see that the threat score for a system is increasing 20% or more every few hours, it’s a strong indication that the system has been compromised and requires investigation.

Deep Dive Module

Ever have the need to look deeper at a system? Sure, there may be something interesting, but what about the whole picture?

AC-Hunter has the ability to show a total snapshot of a host in one view, and allows you to dive deeper into the different endpoints and protocols used by that host.

Because sometimes you just have to dig in.

Long Connections Module

Rather than calling home on a regular basis, attackers may try to simply call home and leave the connection open indefinitely. To spot this traffic, you can use our long connections module.

Most legitimate connections run for one hour or less. By tracking down connections that remain active for many hours or even many days, you can quickly spot suspicious activity.

Threat Intel Module

The Threat Intel module identifies when known-to be-compromised systems are communicating with hosts on your internal network. We aggregate results from multiple threat intelligence feeds so that you have a single interface to spot highly suspect activity.

DNS Module

DNS C2 is one of the most common means for attackers to exploit highly-secure environments. For most organizations, DNS is a required protocol and it is usually between two trusted endpoints. For example, most DNS traffic will use a Domain Controller or use “trusted” DNS providers like Google.

We detect this by looking at the number of subdomains per domain and will flag suspicious quantities. AC-Hunter easily identifies excessive sub-domains.

User Agent Module

The user agent field identifies the operating system, browser and plug-ins used to create an HTTP connection.

Since most environments standardize their platforms (Example: Windows 10 using Chrome), unique user agent values can be an indication of unexpected software communicating on your network.

Whitelist Module

AC-Hunter lets you quickly whitelist known-to-be-safe communications.

There may be times AC-Hunter flags a communication as suspicious, which you actually know is legitimate. For example, you may have your systems configured to verify their time to a customized time server.

AC-Hunter makes it easy to set up exceptions for these systems so they no longer appear in the final report. Whitelists can be created based on IP address, autonomous system numbers (ASN) or company name.