The Run to Ground feature allows users to provide file hashes and see other objects that entered a customer environment around the same time, and what Stairwell believes is interesting about those objects. “RTG” finds sightings of your reference object, any of its variants (2 levels deep), and any objects that entered your environment within 24 hours of any variant. We then filter out based on prevalence to find only the uncommon objects that were also seen around this time. A maximum of 200 objects per variant are displayed.

Starting a Run to Ground

• The feature allows every hash you come across in Stairwell to be run to ground. Whether it is in a search or in a details panel, you can right click on the hash itself to summon the Stairwell context menu. In the menu under the "Workflows" option, select the “Run to ground” option to start your run to ground on the selected hash.
• In lists where you can bulk select hashes (search, threat reports,etc.), you can select up to 5 hashes at a time to run to ground. Simply select the hashes from the list and then right click on any of the selected hashes to open the context menu. From there, select the “Run to ground” option to start the run to ground request.

RTG with the Chrome Extension

• Hashes outside of Stairwell can also be run to ground! Once installed, the Stairwell chrome extension allows you to simply right click on a hash anywhere you might see them in your browser to open up the Stairwell context menu. In the menu, simply select “Run to ground” to start the run to ground for the selected hash. Stairwell will open in a new tab and bring you to your run to ground results.
• Hashes seen on a page outside of the Stairwell platform will be highlighted in an orange gradient color to signal to you that the hash can be run to ground using the Stairwell chrome extension.