The Endpoint Scanner is currently available for Windows. macOS and Linux versions coming soon.
Executing the endpoint scanner with your EDR:
- Executing the endpoint scanner script with SentinelOne
- Executing the endpoint scanner script with CrowdStrike
What is Intezer’s Live Endpoint Scanner?
Intezer’s Live Endpoint Scanner is a unique feature that scans the memory of your machine, to help find any traces of advanced in-memory threats such as malicious code injections, packed and fileless malware, or any unrecognized code. To learn more about this feature - Conduct Live Endpoint Analysis.
When should you use the Live Endpoint Scanner?
We recommend executing the scanner on hosts within your organization:
1. During Incident Response in order to check for fileless threats in memory. If you are using Intezer's EDR integration, Intezer will recommend scanning for fileless threats in certain cases such as suspicious scripts, behavior or potential fileless threats.
2. During Incident Response process, when you are assessing the scope of an incident by scanning additional endpoints.
3. During proactive hunting, scanning occasionally for infected machines within the organization.
How do you run the Live Endpoint Scanner?
Intezer utilizes the remote scripting capabilities available in the EDRs (SentinelOne's RSO, and CrowdStrike's RTR), and doesn't require any installation. We provide a PowerShell script that is compatible with the EDRs. The script downloads Intezer’s Endpoint Scanner executable to a temporary directory on the suspicious endpoint, executes it, and then deletes it from the endpoint.
Required network access
- analyze.intezer.com:443
- intezerfiles.blob.core.windows.net:443
- crl.godaddy.com:80
Quick Start
SentinelOne
Script installation
- Go to Automation in the main menu
- Click on the Script Library tab
- Download the script from https://github.com/intezer/EDRConnectDeployment/blob/main/intezer_endpoint_scanner.ps1 .
- Click on the Upload New Script button, and fill the following fields:
- Name: “Run Intezer Endpoint Scanner”
- OS Type: Windows
- Script Type: Action
- Upload Script: upload the script
- Check “Input is Required”
- Input instruction: Provide Intezer API key
- Input Example: “api_key”
Script update
Remove the script and follow the same instruction as the install
Manual script execution
There are multiple ways to run the script:
- In the Forensic details, click Actions > Run Script
- In Automation, click the Script Library tab and select a script to run
- In Sentinels > Endpoints, select one or more Agents. Click Actions and select Run Script.
Consult SentinelOne documentation, under Running a Script for more details
All analysis results are listed in you history page https://analyze.intezer.com/history?tab=endpoint
CrowdStrike
Script installation
- In Host setup and management, under Response scripts and files
- Click Create a script
- Script Name: Run Intezer Endpoint Scanner
- Script Type: Powershell
- (Optional) Check Share with workflow if you wish to use this script in a workflow (Require RTR Administrator permission)
- Copy the script content from https://github.com/intezer/EDRConnectDeployment/blob/main/intezer_endpoint_scanner.ps1 and paste it in the Script tab
- Click on the Input Schema and paste the following JSON schema:
{
"$schema": "<https://json-schema.org/draft-07/schema>",
"properties": {
"api_key": {
"type": "string"
}
},
"required": [
"api_key"
],
"type": "object"
}
5. Click Create
Script update
- In Host setup and management, under Response scripts and files
- Click on the edit button under Actions column
- Update the content of the script
- Click Update
Manual script execution
- Connect to any host using Real-Time-Response module
- Type
runscript -CloudFile="Run Intezer Endpoint Scanner" -CommandLine="<YOUR-API-KEY>" --Timeout=1800
- You should see the endpoint scan results in Intezer at https://analyze.intezer.com/history?tab=endpoint