System Forensics Simplified
Finding a Threat is a straightforward task in AC-Hunter; we’ve worked hard to pull in the relevant facts so you don’t have to. Unfortunately, once you’ve found a likely Threat, the next step is inspecting the suspect system.
Because this happens so often, we wanted to make this simple as well. When you’re investigating a Threat, you can switch over to BeaKer to see the name of the Windows system, the process that created them, and the user under which it’s run. These should quickly give you a picture of whether the traffic is benign, malicious, or needs more investigation.
Let’s take a look at an example.
As part of working with AC-Hunter, you come across beacon-like behavior from one of your systems to an unknown host on the Internet (which happens to be a cloud server):
The traffic is coming from 192.168.99.54. The next step is to look at that internal system to see what program is generating hundreds of beacons an hour. To do this, you click on the BeaKer icon indicated by the arrow in the above picture.
System Forensics – Without Leaving Your Seat!
Your browser will open a new tab with this display:
Kibana has been told to only show information about traffic between these two IP addresses for the time in question – see the blue ovals.
Further down on the display we get some additional information in the red ovals; the hostname of the machine, the program generating the traffic, the person under which that program is run, and how many connections were generated. In this example, Benjamin Sisko works in Finance and has no legitimate reason to be running powershell on his Windows system, let alone more than 19,000 times!
These few pieces of information are just what we need to identify that the traffic we saw in AC-Hunter is likely malicious and needs some follow-up. Benjamin may have some malware running on his system that needs attention.
In the above example, BeaKer runs as part of AC-Hunter. When you perform the install, you get an additional set of services (ElasticSearch and Kibana are loaded onto either the AC-Hunter server or a separate machine if load requires). These accept network connection information from your Windows systems provided by an agent that runs on them. The agent keeps sending over this connection data so when you need to look up details about a connection it’s waiting for you.
As part of our ongoing commitment to free and open-source software, we’ve made both BeaKer and the BeaKer Windows agent open source.