thecomputerguy
Well-Known Member
- Reaction score
- 1,479
I began rolling our EDR to some of my clients for testing purposes ... less than 50 or so endpoints.
It has been quiet since the beginning of the year and I was beginning to wonder if it was doing anything at all. I knew it was industry standard to use EDR so I just left it on my 50 points and moved on.
This weekend I finally got my first TWO alerts.
1.) Low severity ... PUP called PcAppStore showed up in the startup ... Huntress remediated it automatically.
2.) High severity ... Client downloaded a file called document.vbs opening it and then the VBS script proceed to install two remote access agents, Fleetdeck Agent, and ScreenConnect agent at roughly 5:40pm on Saturday
By 6:00pm Saturday Huntress had deleted the respective services to kill the access. The files were still left behind so some manual cleanup was necessary but I imagine on any HIGH alert I'd be in contact with the client anyways, so not a big deal.
Client claimed, "What? Saturday at 5:40 ... I wasn't even here"
THATS NOT WHAT YOUR BROWSER HISTORY SAYS BUD
It has been quiet since the beginning of the year and I was beginning to wonder if it was doing anything at all. I knew it was industry standard to use EDR so I just left it on my 50 points and moved on.
This weekend I finally got my first TWO alerts.
1.) Low severity ... PUP called PcAppStore showed up in the startup ... Huntress remediated it automatically.
2.) High severity ... Client downloaded a file called document.vbs opening it and then the VBS script proceed to install two remote access agents, Fleetdeck Agent, and ScreenConnect agent at roughly 5:40pm on Saturday
By 6:00pm Saturday Huntress had deleted the respective services to kill the access. The files were still left behind so some manual cleanup was necessary but I imagine on any HIGH alert I'd be in contact with the client anyways, so not a big deal.
Client claimed, "What? Saturday at 5:40 ... I wasn't even here"
THATS NOT WHAT YOUR BROWSER HISTORY SAYS BUD
