Advance and Automate Your Endpoint Security Software with Infocyte Extensions
This post was last updated on August 27th, 2021 at 05:22 pm
Earlier this month, we announced a breakthrough feature within our agentless detection and response platform — Extensions. This new feature enables security teams to integrate, automate, and extend their endpoint security software tools: Endpoint Detection and Response (EDR) platforms, Security Information Event Management (SIEM) tools, Security Orchestration Automation and Response (SOAR) platform, and more.
First and foremost, we’d like to thank everyone—customers, partners, the cybersecurity community, and of course our engineers—who helped test, contribute, and build Extensions… Thank you!
What are Extensions?
Within Infocyte’s detection and response platform, you can now develop, contribute, and deploy custom Extensions to interact with your endpoints in two key ways:
- Collection Extensions extend what our endpoint/server is collecting: For instance, you can analyze your own registry keys, run shell commands, collect logs, etc. and also enables YARA scanning on the endpoint.Initial ones being built: Yara Scanner, ediscovery, ransomware finder, powerforensics MFT collector.
- Action Extensions provide mechanisms for making changes to a system or sets of systems. You can isolate compromised systems, install a 3rd party tool, change settings, or perform a memory dump. Really only limited by your imagination. Initial examples being built: Memory dump, host isolation, host restore, VSS Enforcement, VSS Restore.
How to Develop Extensions
Infocyte Extensions are written in Lua which has an interface to all of our agent/survey functionality and also includes the LUA standard library embedded in. Users can also deploy and execute arbitrary binaries or scripts written in a language of choice (i.e. powershell, python, bash) by passing calls to the os shell. We have examples and style guide drafts already available on our Github and is being updated daily.
Extensions are sourced from Infocyte, the cybersecurity community, and our customers/partners.
- Official: We will provide Infocyte defined, written, and maintained Extensions for many primary use cases.
- Community: Users can contribute to our future community repo that we host on Github.
- Private: Users can also maintain and create their own private extensions based on proprietary threat intel and innovation.
If you’re interested in developing Extensions within the Infocyte platform, please contact us to request a not-for-resale (NFR) or developer license. Additionally, we’re opening up personal developer licenses for registered developers.
Developing Extensions in Windows
Extensions can be ran locally without a developer license and I recommend it for most testing and initial development. On Windows, you’ll find a function for executing/testing your extension in the InfocyteHUNTAPI Powershell Module (Only Dependency is the survey: s1.exe):
Install-Module -Name InfocyteHUNTAPIInvoke-ICExtension -Path <pathtoextension>
Contributing to Infocyte Extensions on GitHub
If developing, Fork our Extensions repository and start modifying or adding your scripts. You can do a Pull Request to our repo to add your extension (Make sure your new extension is in the contrib folder)
NOTE: Our Lua HUNT Library is under active development and may change after we go live, get feedback, and enhance the features.
If you have questions about how Infocyte Extensions work, how you can advance and automate your endpoint security software, or if you need help getting started, please contact us.