The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Uptycs  > Carbanak+FIN7 Configuration


Uptycs Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE Engenuity comments are included in italics.


Product Versions

  • SaaS version 69068
  • Agent version 4.4.0.24-Uptycs

Product Description

The ​Uptycs security analytics platform​ makes it easy for organizations to get security observability across all their endpoints—whether they’re laptops, servers, containers, or ephemeral machine images in the cloud—and the environments they’re running in. With connected insights across these on-premises and cloud workloads, security teams can solve a number of use cases in one platform, including fleet visibility, ​ threat detection and investigation​, and ​ audit and compliance​. By closing visibility gaps, Uptycs arms security teams with rapid insights that help them reduce dwell time, proactively mitigate misconfiguration risk, and perform comprehensive investigations for faster response.

In this screenshot from the Uptycs interface, an easy-to-understand process graph helps analysts see how the signals in a detection map to the MITRE ATT&CK framework as well as the parent-child relationships of processes involved in a detection and artifacts involved.

Uptycs solves the problem of collecting, aggregating, and correlating data from disparate environments. The platform collects telemetry—including rich host-based telemetry—from laptop and server endpoints, containerized workloads, and cloud workloads and makes it available through SQL tables for fast real-time and historical queries, as well as through dashboards and visualizations. SQL-powered analytics empowers security teams to ask difficult questions and get rapid answers.

One of the primary use cases of the Uptycs platform is threat detection and investigation. To detect threats, Uptycs uses behavioral detections as well as real-time and historical correlations against our own threat research and 100+ threat intelligence feeds and IOC/malware sources. Users can also build their own detections and add proprietary threat feeds.

With Uptycs, SOC analysts can see how the signals that comprise a detection are related to the associated techniques in MITRE ATT&CK, both visually on the matrix and with tags, to better understand the nature of an incident. SOC teams can build off of a robust detection rule set for MITRE ATT&CK with 500+ behavioral rules to cover the tactics and techniques described in the framework, and easily customize rules further to meet specific requirements.

When an incident is identified, Uptycs offers another advantage for incident response teams: the ability to reconstruct machine state at any point in time. This is especially useful for investigations that encompass ephemeral cloud workloads that may no longer be in production. Uptycs makes this possible by storing machine state in a Flight Recorder so analysts can “go back in time” to perform forensic investigations.

Product Configuration

  1. Registry config changes:
    • added registry key (HKEY_CURRENT_USER\Software\InternetExplorer\AppDataLow\Software\Microsoft\%%) for monitoring
  2. Uptycs event exclude profile changes:
    • removed local network 192.168.0.0/16 from exclusion
    • removed (.tmp) file extension from exclusion
    • removed ('unlink') exclusion for file delete events
  3. enabled 'exclude_controlling_parents' flag to 'false' to get code injection related data in process_control_events table.