The Endpoint Scanner is a capability for enterprise accounts using Intezer Autonomous SOC. It is currently available for Windows, with macOS and Linux versions are coming soon.
Executing the endpoint scanner with your EDR:
- Executing the endpoint scanner script with SentinelOne
- Executing the endpoint scanner script with CrowdStrike
- Executing the endpoint scanner script with Microsoft Defender for Endpoints
What is Intezer's Live Endpoint Scanner?
The Live Endpoint Scanner is a unique feature of Intezer Autonomous SOC that scans your machine's memory to help find any traces of advanced in-memory threats such as malicious code injections, packed and fileless malware, or any unrecognized code.
You can learn more about the scanner on Conduct Live Endpoint Analysis.
When should you use the Live Endpoint Scanner?
We recommend executing the scanner on hosts within your organization:
1. During incident response, to check for in-memory or fileless threats. If you connected your EDR, Intezer would recommend scanning for fileless threats in some instances, such as suspicious scripts, behavior, or potential fileless threats.
2. During incident response, when you assess an incident's scope by scanning additional endpoints.
3. For proactive hunting, occasionally scan for infected machines within the organization.
How do you run the Live Endpoint Scanner?
Intezer utilizes the remote scripting capabilities available in the EDRs (SentinelOne's RSO and CrowdStrike's RTR) and doesn't require any installation. We provide a PowerShell script that is compatible with the EDRs. The script downloads Intezer's Endpoint Scanner executable to a temporary directory on the suspicious endpoint, executes it and then deletes it from the endpoint.
Where can I find my Intezer API key?
Browse to https://analyze.intezer.com/account-details
Required network access
- analyze.intezer.com:443
- intezerfiles.blob.core.windows.net:443
- crl.godaddy.com:80
Quick Start
SentinelOne
Script installation
- Go to Automation in the main menu
- Click on the Remote Ops tab
- Download the script from https://github.com/intezer/EDRConnectDeployment/blob/main/intezer_endpoint_scanner.ps1.
- Click on the Upload New Script button, and fill out the following Script Details and click Next:
- Name:
Run Intezer Endpoint Scanner
- Script Type:
Action
- OS Type:
Windows
- Upload the script downloaded in the previous step and click Next
- Fill out the following Script Settings and click Next:
- Script Execution Timeout:
1800
- Input is Required (Checkbox):
True
- Input Instructions:
Provide Intezer API key
- Input Example:
api-key
- Script Execution Timeout:
- Review Summary and click Submit
- Name:
To allow automatic Live Endpoint Scanner to be triggered by Intezer:
- Make sure that the Intezer Integration role has the following permissions:
- RemoteOps > View
- Run Scripts > Run Action Script
- Go to Automation > Remote Settings and verify that Enable approval thresholds is Disabled (if enabled it could prevent from Intezer to automatically execute the Live Endpoint Scanner Script)
Common Questions
Script update
Remove the script and follow the same instruction as the install.
Manual script execution
There are multiple ways to run the script:
- In the Threat overview page, click Actions > Run Script
- In Automation, click the Remote Ops tab and select a script to run
- In Sentinels > Endpoints, choose one or more endpoints. Click Actions > Response > Run Script.
Consult SentinelOne documentation under Running a Script for more details.
All analysis results are listed on your history page https://analyze.intezer.com/history?tab=endpoint
CrowdStrike
There are 2 options to setup, one with CrowdStrike's custom script feature and one with CrowdStrike's executable feature ("put" files). We recommend setting both methods.
Script installation (option 1)
- Go to Host setup and management > Response scripts and files, under Custom scripts tab, click Create script
- Fill out the following details:
- Script Name:
Run Intezer Endpoint Scanner
- Script Type:
PowerShell
- Script access:
Users with the role of RTR Administrator or RTR Active Responder
- Share script with workflows: Optional - Set this checkbox if you wish to use this script in a workflow
- Script Name:
- Copy the script content from https://github.com/intezer/EDRConnectDeployment/blob/main/intezer_endpoint_scanner.ps1 and paste it into the Script tab
- If Share script with workflows is selected, go to the Input schema tab and paste the following JSON schema:
{ "$schema": "https://json-schema.org/draft-07/schema", "properties": { "api_key": { "type": "string" } }, "required": [ "api_key" ], "type": "object" }
- Click Create
Script update
- Go to Host setup and management > Response scripts and files
- Select the script and click on the Edit script button
- Update the script content
- Click Save
Executable installation (Option 2):
- Go to Host setup and management > Response scripts and files, under "put" files tab, click Upload file
- Fill out the following details:
- Upload the Intezer Scanner executable. You can download it from here
- Name:
IntezerScanner.exe
- Click Upload
Executable update:
Intezer updates the Scanner from time to time. To update the executable, delete the old entry and upload a new one.
Common Questions
Executing the scanner on quarantined hosts
Add the list of IPs to the allowlist under Host setup and management > Containment policy:
- [dns-server-ip] (you can get it using
ipconfig /all
) - 20.60.27.196/32
- 168.63.129.16/32
- 20.60.130.228
- 20.50.210.201
- 192.124.249.41
- 192.124.249.31
- 192.124.249.36
Manual script execution
- Connect to any host using the Real-Time-Response module
- Type
runscript -CloudFile="Run Intezer Endpoint Scanner" -CommandLine="<YOUR-API-KEY>" --Timeout=1800
- You should see the endpoint scan results in Intezer at https://analyze.intezer.com/history?tab=endpoint.
Manual executable execution
- Connect to any host using the Real-Time-Response module
- Type
put-and-run "IntezerScanner.exe" -CommandLine="<YOU-API-KEY>"
Microsoft Defender for Endpoints
Script installation
- Download the script from Intezer's repository.
- In Microsoft Defender go to Assets > Devices and choose one of the endpoints you want to scan
- Click on More actions on the top right and choose Initiate Live Response Session
- Click on Upload file to library and fill up the following fields:
- choose the script downloaded in the previous step
- Notice: the file name should remain intezer_endpoint_scanner.ps1
- Notice: the file name should remain intezer_endpoint_scanner.ps1
- Set the following Script description:
Intezer Endpoint Scanner
- Check both Overwrite file and Script parameters checkboxes
- Set the following Parameters description:
api_key
(this is the actual parameter and not the value)
- choose the script downloaded in the previous step
- Click Confirm