Perseus Demo Walkthrough

You are here:
< Back

 


Thank you for installing Perseus!

 

This document is designed to quickly familiarize you with the capabilities of Perseus. You’ll learn how Perseus can help you save time investigating incidents in your own environment. Suggested actions to explore Perseus are provided in bold. They’re accompanied by explanations of these actions and how they fit into a typical incident response workflow. Please don’t hesitate to reach out to us at support@PerseusSec.com if you have any questions or comments. Once you’re ready to use Perseus to help you investigate incidents in your own environment, you can download the free production version of Perseus here: https://PerseusSec.com/download-wizard

 

Please Note: The data included in the Perseus Demo comes from a real case study. It doesn’t contain the full Perseus data from every host but a small subset that highlights some key capabilities of Perseus. To protect the privacy of the organization participating in the case study, some data and functionality is not available in the Perseus Demo.

 


Identify Persistent Malware In Seconds

Perseus allows you to determine in seconds whether persistent threats are present on a host you are investigating. Take for instance a common situation during incident response: A network perimeter security product tool generates an alert that indicates suspicious traffic originated from a host. Let’s investigate two of these alerts using Perseus to quickly determine which incident involved persistent malware.

 

REDACTED-31315

We receive an alert from our network perimeter security tool that there’s suspicious traffic on REDACTED-31315 on July 15th. We can use Perseus to quickly determine if any persistent malware was associated with this incident. Go to the “Hosts Overview” dashboard, and search for host REDACTED-31315.

 

 

Click on the “Host” field to see the activity on host REDACTED-31315.

 

As you can see, the Red Arrow indicates a negative reputation for the Url Search Hook at the bottom of the list. Hover over the “Rep” field for the Url Search Hook for a summary of the VirusTotal report for the binary launched by the entry.

 

You can see half of the engines detect it as a malicious which indicates it’s very likely malware. If you would like to see the full VirusTotal report, click on the Red Arrow. You can also click on the “Entry Name” or “Entry Launches” fields to launch a Google search for that data. For instance, even a quick glance at the Google search results from clicking on “{3c35ad63-af1d-4e21-b484-b6651a8efcf9}” further supports that the entry is malicious. Perseus allows you to quickly identify persistent malware, even malware using uncommon persistence methods.

 

REDACTED-29429

We receive an alert from our network perimeter security tool that there’s suspicious traffic on REDACTED-29429 on July 21st. We can use Perseus to quickly determine if any persistent malware was associated with this incident. Go to the “Hosts Overview” dashboard, and search for host REDACTED-29429.

 

 

Click on the “Host” field to see the activity on host REDACTED-29429.

 

Perseus indicates there are no unauthorized modifications present on the host. This allows you to immediately determine there’s no persistent malware present so you don’t waste time searching for indicators of persistence that don’t exist. This is particularly useful when alerts are false positives or when alerts are associated with a broken multi-stage attack attempt. You can incorporate this information into your decisions of which incidents deserve immediate attention – prioritizing incidents with persistent threats often makes sense as those attacks are on-going.

 


See Organization-Specific Context

Sometimes legitimate software is used maliciously to carry out an attack. It’s important that an analyst be able to identify malicious use of legitimate software. Perseus can provide valuable organization-specific context to help you make this determination. Let’s explore an example of this. Go to the “Unauthorized Modifications” dashboard, and filter by Reputation “Good”.

You’ll see two entries associated with legitimate remote access products: Zoho Assist and Bomgar.

 

 

Hover over the “UReg” Icon for the Bomgar entry. This will show you that Bomgar is common in the organization participating in our case study. Please Note: These organization-approved products are typically whitelisted using the “Allow” button. Once whitelisted, they won’t appear on the dashboard so that it’s easier for an analyst to identify malicious activity. This Bomgar entry was intentionally omitted from the whitelist for the demo.

 

 

Hover over the “UReg” Icon for the Zoho entry. This will show you that Zoho is uncommon in the organization participating in our case study.

 

Perseus makes it easy and fast for you, even without any organization-specific knowledge, to identify what is common and what is anomalous in an organization. You’re able to quickly determine that the Zoho activity may require a closer look. Click on the “Time” field of the Zoho entry to see additional context associated with that entry.

 

 

As you can see, there were a few other modifications around the time of the Zoho entry. All of them have files that VirusTotal has no reports for. All of these factors combined are suspicious enough to warrant additional investigation of the host. Perseus allows you to quickly identify which incidents actually deserve your focus.

 


Detect Threats Missed By Other Security Technologies

Malware is often designed to bypass the most common security technologies deployed by an organization. Organizations are especially vulnerable when new threats are released that aren’t detected by antivirus definitions or existing IOCs. But because unknown malware almost always relies on known persistence mechanisms, Perseus can help identify persistent infections in your environment that are missed by other security products. Let’s take a look at activity in our environment that there’s no existing reputation data for. Go to the “Unauthorized Modifications” dashboard, and filter by Reputation “Unknown”.

You’ll see a number of entries that VirusTotal has no reports or reputation data for. Click on the “Host” field for host REDACTED-30417 to see only the events on host REDACTED-30417.

You’re able to quickly determine that there are a number of polymorphic entries present on this computer that are highly suspicious and very likely malicious in nature. Even though there were no antivirus or network perimeter security tool alerts associated with this malware at the time of infection, Perseus allowed analysts to detect this threat so they could address it before it became a more serious incident.

 


Hunt for Threats, Whitelist Approved Software, And More

 

Explore the unique “Universal Registry” dashboard to actively hunt for anomalies. Use the “Allow” button to see how Perseus can further reduce noise by whitelisting software that’s approved in your environment. Use the “Clean” button to see how Perseus can allow an analyst to initiate automated remediation of malicious modifications. And once you’re ready to use Perseus to help you investigate incidents in your own environment, you can download the free production version of Perseus here: https://PerseusSec.com/download-wizard