Skip to main content

Set Up Live Endpoint Scanner Script in Your EDR

  • Updated

The Endpoint Scanner is a capability for enterprise accounts using Intezer Autonomous SOC. It is currently available for Windows, with macOS and Linux versions are coming soon.

Executing the endpoint scanner with your EDR:

What is Intezer's Live Endpoint Scanner?

The Live Endpoint Scanner is a unique feature of Intezer Autonomous SOC that scans your machine's memory to help find any traces of advanced in-memory threats such as malicious code injections, packed and fileless malware, or any unrecognized code.

You can learn more about the scanner on Conduct Live Endpoint Analysis.

 

When should you use the Live Endpoint Scanner? 

We recommend executing the scanner on hosts within your organization:

1. During incident response, to check for in-memory or fileless threats. If you connected your EDR, Intezer would recommend scanning for fileless threats in some instances, such as suspicious scripts, behavior, or potential fileless threats. 

2. During incident response, when you assess an incident's scope by scanning additional endpoints.

3. For proactive hunting, occasionally scan for infected machines within the organization. 

 

How do you run the Live Endpoint Scanner? 

Intezer utilizes the remote scripting capabilities available in the EDRs (SentinelOne's RSO and CrowdStrike's RTR) and doesn't require any installation. We provide a PowerShell script that is compatible with the EDRs. The script downloads Intezer's Endpoint Scanner executable to a temporary directory on the suspicious endpoint, executes it and then deletes it from the endpoint.

 

Where can I find my Intezer API key?

Browse to https://analyze.intezer.com/account-details

 

Required network access

Your machine should have direct network access to the following addresses:
  • analyze.intezer.com:443
  • intezerfiles.blob.core.windows.net:443
  • crl.godaddy.com:80

 

Quick Start

SentinelOne

Script installation

  1. Go to Automation in the main menu
  2. Click on the Remote Ops tab
  3. Download the script from https://github.com/intezer/EDRConnectDeployment/blob/main/intezer_endpoint_scanner.ps1.
  4. Click on the Upload New Script button, and fill out the following Script Details and click Next:
    1. Name: Run Intezer Endpoint Scanner
    2. Script Type: Action
    3. OS Type: Windows
      upload-new-script-1.png
    4.  Upload the script downloaded in the previous step and click Next
    5. Fill out the following Script Settings and click Next:
      1. Script Execution Timeout: 1800
      2. Input is Required (Checkbox): True
      3. Input Instructions: Provide Intezer API key
      4. Input Example: api-key
        script-settings.png
    6. Review Summary and click Submit

To allow automatic Live Endpoint Scanner to be triggered by Intezer:

  1. Make sure that the Intezer Integration role has the following permissions:
    • RemoteOps > View
    • Run Scripts > Run Action Script
  2. Go to Automation > Remote Settings and verify that Enable approval thresholds is Disabled (if enabled it could prevent from Intezer to automatically execute the Live Endpoint Scanner Script)
    remote-settings.png

 

Common Questions

 

Script update

Remove the script and follow the same instruction as the install.

 

Manual script execution

There are multiple ways to run the script:

  1. In the Threat overview page, click Actions > Run Script
  2. In Automation, click the Remote Ops tab and select a script to run
  3. In SentinelsEndpoints, choose one or more endpoints. Click Actions > Response > Run Script.

 

Consult SentinelOne documentation under Running a Script for more details.

All analysis results are listed on your history page https://analyze.intezer.com/history?tab=endpoint

 

CrowdStrike

There are 2 options to setup, one with CrowdStrike's custom script feature and one with CrowdStrike's executable feature ("put" files). We recommend setting both methods.

Script installation (option 1)

  1. Go to Host setup and management > Response scripts and files, under Custom scripts tab, click Create script
  2. Fill out the following details:
    1. Script Name: Run Intezer Endpoint Scanner
    2. Script Type: PowerShell
    3. Script access: Users with the role of RTR Administrator or RTR Active Responder
    4. Share script with workflows: Optional - Set this checkbox if you wish to use this script in a workflow
  3. Copy the script content from https://github.com/intezer/EDRConnectDeployment/blob/main/intezer_endpoint_scanner.ps1 and paste it into the Script tab
    cs-create-script.png
  4. If Share script with workflows is selected, go to the Input schema tab and paste the following JSON schema:
    {
  "$schema": "https://json-schema.org/draft-07/schema",
  "properties": {
    "api_key": {
      "type": "string"
    }
  },
  "required": [
    "api_key"
  ],
  "type": "object"
}
  5. Click Create

Script update

  1. Go to Host setup and management > Response scripts and files
  2. Select the script and click on the Edit script button
  3. Update the script content
  4. Click Save

Executable installation (Option 2):

  1. Go to Host setup and management > Response scripts and files, under "put" files tab, click Upload file
  2. Fill out the following details:
    1. Upload the Intezer Scanner executable. You can download it from here
    2. Name: IntezerScanner.exe
  3. Click Upload

Crowdstrike put file.png

Executable update:

Intezer updates the Scanner from time to time. To update the executable, delete the old entry and upload a new one.

Common Questions

Executing the scanner on quarantined hosts

Add the list of IPs to the allowlist under Host setup and management > Containment policy:

  • [dns-server-ip] (you can get it using ipconfig /all)
  • 20.60.27.196/32
  • 168.63.129.16/32
  • 20.60.130.228
  • 20.50.210.201
  • 192.124.249.41
  • 192.124.249.31
  • 192.124.249.36

Manual script execution

  1. Connect to any host using the Real-Time-Response module
  2. Type runscript -CloudFile="Run Intezer Endpoint Scanner" -CommandLine="<YOUR-API-KEY>" --Timeout=1800
  3. You should see the endpoint scan results in Intezer at https://analyze.intezer.com/history?tab=endpoint.

Screenshot_2022-08-03_at_12.33.37_PM.png

 

Manual executable execution

  1. Connect to any host using the Real-Time-Response module
  2. Type put-and-run "IntezerScanner.exe" -CommandLine="<YOU-API-KEY>"

Microsoft Defender for Endpoints

Script installation

  1. Download the script from Intezer's repository.
    github-download-raw-file.png
  2. In Microsoft Defender go to Assets > Devices and choose one of the endpoints you want to scan
    mde-devices-menu.png
  3. Click on More actions on the top right and choose Initiate Live Response Session
    mde-initiate-live-response.png
  4. Click on Upload file to library and fill up the following fields:
    mde-upload-file-to-library-button.png
    1. choose the script downloaded in the previous step
      • Notice: the file name should remain intezer_endpoint_scanner.ps1
         
    2. Set the following Script description: Intezer Endpoint Scanner
    3. Check both Overwrite file and Script parameters checkboxes
    4. Set the following Parameters description:api_key (this is the actual parameter and not the value)
      mde-upload-file-to-library-form.png
  5. Click Confirm

Manual script execution

  1. In Microsoft Defender click on Assets\Devices and choose one of the endpoints you want to scan
  2. In the command console, run the command run intezer_endpoint_scanner.ps1 {API_Key}

Common Questions

Return to top