The Endpoint Scanner is a capability for enterprise accounts using Intezer Autonomous SOC. It is currently available for Windows, with macOS and Linux versions are coming soon.
Executing the endpoint scanner with your EDR:
- Executing the endpoint scanner script with SentinelOne
- Executing the endpoint scanner script with CrowdStrike
- Executing the endpoint scanner script with Microsoft Defender for Endpoints
- Executing the scanner on quarantined hosts
What is Intezer's Live Endpoint Scanner?
The Live Endpoint Scanner is a unique feature of Intezer Autonomous SOC that scans your machine's memory to help find any traces of advanced in-memory threats such as malicious code injections, packed and fileless malware, or any unrecognized code.
You can learn more about the scanner on Conduct Live Endpoint Analysis.
When should you use the Live Endpoint Scanner?
We recommend executing the scanner on hosts within your organization:
1. During incident response, to check for in-memory or fileless threats. If you connected your EDR, Intezer would recommend scanning for fileless threats in some instances, such as suspicious scripts, behavior, or potential fileless threats.
2. During incident response, when you assess an incident's scope by scanning additional endpoints.
3. For proactive hunting, occasionally scan for infected machines within the organization.
How do you run the Live Endpoint Scanner?
Intezer utilizes the remote scripting capabilities available in the EDRs (SentinelOne's RSO and CrowdStrike's RTR) and doesn't require any installation. We provide a PowerShell script that is compatible with the EDRs. The script downloads Intezer's Endpoint Scanner executable to a temporary directory on the suspicious endpoint, executes it and then deletes it from the endpoint.
Where can I find my Intezer API key?
Browse to https://analyze.intezer.com/account-details
Required network access
- analyze.intezer.com:443
- intezerfiles.blob.core.windows.net:443
- crl.godaddy.com:80
Quick Start
SentinelOne
Script installation
- Go to Automation in the main menu
- Click on the Script Library tab
- Download the script from https://github.com/intezer/EDRConnectDeployment/blob/main/intezer_endpoint_scanner.ps1.
- Click on the Upload New Script button, and fill out the following fields:
- Name: "Run Intezer Endpoint Scanner"
- OS Type: Windows
- Script Type: Action
- Upload Script: upload the script
- Check "Input is Required"
- Input instruction: Provide Intezer API key
- Input Example: "api_key"
Script update
Remove the script and follow the same instruction as the install
Manual script execution
There are multiple ways to run the script:
- In the Forensic details, click Actions > Run Script
- In Automation, click the Script Library tab and select a script to run
- In Sentinels > Endpoints, choose one or more Agents. Click Actions and choose Run Script.
Consult SentinelOne documentation under Running a Script for more details
All analysis results are listed on your history page https://analyze.intezer.com/history?tab=endpoint
CrowdStrike
Script installation
- In Host setup and management, under Response scripts and files
- Click Create a script
- Script Name: Run Intezer Endpoint Scanner
- Script Type: Powershell
- (Optional) Check Share with workflow if you wish to use this script in a workflow (Require RTR Administrator permission)
- Copy the script content from https://github.com/intezer/EDRConnectDeployment/blob/main/intezer_endpoint_scanner.ps1 and paste it into the Script tab
- Click on the Input Schema and paste the following JSON schema:
{
"$schema": "https://json-schema.org/draft-07/schema",
"properties": {
"api_key": {
"type": "string"
}
},
"required": [
"api_key"
],
"type": "object"
}
5. Click Create
Executing the scanner on quarantined hosts
Add the list of IPs to the allowlist under "Host setup and management"> "Containment policy":
- [dns-server-ip] (you can get it using
ipconfig /all
) - 20.60.27.196/32
- 168.63.129.16/32
- 20.60.130.228
- 20.50.210.201
- 192.124.249.41
- 192.124.249.31
- 192.124.249.36
Script update
- In Host setup and management, under Response scripts and files
- Click on the edit button under the Actions column
- Update the content of the script
- Click Update
Manual script execution
- Connect to any host using the Real-Time-Response module
- Type
runscript -CloudFile="Run Intezer Endpoint Scanner" -CommandLine="<YOUR-API-KEY>" --Timeout=1800
- You should see the endpoint scan results in Intezer at https://analyze.intezer.com/history?tab=endpoint.
Microsoft Defender for Endpoints
Script installation
- Download the script from Intezer's repository.
- In Microsoft Defender click on Assets\Devices and choose one of the endpoints you want to scan
- Click on More Actions on the top right and choose Initiate Live Response Session
- Click on Upload file to library and choose the script
- In the command console, run the following commands:
- putfile intezer_endpoint_scanner.ps1
- run intezer_endpoint_scanner.ps1 {API_Key}