System Forensics Simplified

Finding a Threat is a straightforward task in AC-Hunter; we’ve worked hard to pull in the relevant facts so you don’t have to. Unfortunately, once you’ve found a likely Threat, the next step is inspecting the suspect system.

Because this happens so often, we wanted to make this simple as well. When you’re investigating a Threat, you can switch over to BeaKer to see the name of the Windows system, the process that created them, and the user under which it’s run. These should quickly give you a picture of whether the traffic is benign, malicious, or needs more investigation.
Let’s take a look at an example.


Example Threat

As part of working with AC-Hunter, you come across beacon-like behavior from one of your systems to an unknown host on the Internet (which happens to be a cloud server):

The traffic is coming from The next step is to look at that internal system to see what program is generating hundreds of beacons an hour. To do this, you click on the BeaKer icon indicated by the arrow in the above picture.


System Forensics – Without Leaving Your Seat!

Your browser will open a new tab with this display:

Kibana has been told to only show information about traffic between these two IP addresses for the time in question – see the blue ovals.

Further down on the display we get some additional information in the red ovals; the hostname of the machine, the program generating the traffic, the person under which that program is run, and how many connections were generated. In this example, Benjamin Sisko works in Finance and has no legitimate reason to be running powershell on his Windows system, let alone more than 19,000 times!

These few pieces of information are just what we need to identify that the traffic we saw in AC-Hunter is likely malicious and needs some follow-up. Benjamin may have some malware running on his system that needs attention.


BeaKer Details

In the above example, BeaKer runs as part of AC-Hunter. When you perform the install, you get an additional set of services (ElasticSearch and Kibana are loaded onto either the AC-Hunter server or a separate machine if load requires). These accept network connection information from your Windows systems provided by an agent that runs on them. The agent keeps sending over this connection data so when you need to look up details about a connection it’s waiting for you.

As part of our ongoing commitment to free and open-source software, we’ve made both BeaKer and the BeaKer Windows agent open source.

You may also be interested in:
AC-Hunter Datasheet
AC-Hunter Personal Demo
Subscribe to Our Blog

Sign up for email notifications of our new blog posts, threat hunting training, webcasts and other relevant information.

We are not spammy and you can unsubscribe at any time :)

* indicates required