Hunting and Investigation - Documentation - Support - Falcon PDF

5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
Hunting and Investigation
Last updated: Apr 16, 2020
Contents:
Introduction
Before You Begin
System Dependencies
Browser Dependencies
Hunting With Falcon
Overview
Best Practices
Hunting Queries
Hunting Suspicious Processes
Hunting Phishing Attacks & Malicious Attachments
Hunting Configuration and Compliance Vulnerabilities
Hunting Firewall Anomalies & Vulnerabilities
Hunting Suspicious Network Connections
Hunting Anomalous Behavior
Hunting Anomalies Related to Scheduled Tasks
Hunting Suspicious Registry Changes
Hunting Java Malware, Trojans, & Exploits
Walkthroughs
Hunting Walkthrough: Domain IOC
Hunting Walkthrough: IP IOC
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 1/67
Hunting Walkthrough: Hash IOC

Troubleshooting
Appendix A: Investigate App Pages
Spectre & Meltdown
Host Search
Hash Search
User Search
Source IP Search
Bulk Hash Search
Bulk Domain Search
Event Search
Containers
Mobile Hosts
Introduction
The Hunting Guide for Windows teaches you how to hunt for adversaries, suspicious activities, suspicious processes, and
vulnerabilities on the Windows platform using Falcon.
Falcon contains a suite of powerful search tools that allow you to analyze, explore, and hunt for suspicious or malicious activity in
your environment. These tools include the pre-made search dashboards in the various Falcon apps as well as the ability to run
custom queries on the Events Search page in the Investigate App. This guide focuses mainly on using custom queries to hunt, but
will also direct you to use Falcon's pre-made dashboards when it makes most sense.
If at any time you have questions or encounter technical issues not covered in this guide or in the Troubleshooting section,
contact Support.
Before You Begin
System Dependencies
This guide contains information about how to hunt using Falcon and is tailored specifically towards users running the Falcon
sensor on Windows devices. However, a lot of the ideas and concepts also apply to users running the Falcon sensor on Mac or
Linux. Depending on the sensor platform, however, the names and descriptions of certain events as well as custom query syntax
will vary. We recommend that you read and refer to the Events Data Dictionary to learn more about specific events and their
variations across platforms. The Events Data Dictionary also contains additional custom queries not found in this document that
could be useful when hunting.
Browser Dependencies
CrowdStrike currently supports the Google Chrome browser for use with the Falcon web interface. Other browsers may work, but
we do not support other browsers at this time.
Hunting With Falcon
Overview
Hunting with Falcon is straightforward. By using either the pre-made dashboards and reports or by using custom queries on the
Events Search page, you can search for specific events and data points across one, several, or all hosts running the Falcon sensor
in your environment. The data returned in an Events Search query is from the last 30 days of sensor activity, though most of the
queries you run will need to be narrowed down to a smaller timeframe so that results are usable. You then use your search results
to understand and evaluate security events happening in your environment.
Before you start hunting with Falcon, however, there are a few concepts and best practices that you should familiarize yourself
with, beginning with the queries themselves.
Best Practices
WRITE SPECIFIC QUERIES
All queries in Falcon are powered by the Splunk query language. This document focuses less on teaching you Splunk syntax and
more on the various behaviors and activities you will be hunting. To learn more about Splunk and Splunk syntax, we recommend
that you read the Official Splunk Documentation and the Splunk Enterprise Quick Reference Guide.
Even if you aren’t a Splunk expert, this guide makes it easy to understand what each query does and how you can modify queries
to get more value out of them. Let’s start with a simple example.
Show me a list of processes that executed from the Recycle Bin for a specific AID
aid=my-aid ImageFileName=*$Recycle.Bin* event_simpleName=ProcessRollup2 | stats values(name) values(MD5HashData)

values(ComputerName) values(ImageFileName) count by aid
Most of the queries in this document can simply be copied and pasted into Events Search with minimal modification required by
the user. However, when you see capitalized values, you will need to provide a value before you can run the query.
In the example above, you should provide an "agent ID" (or "AID" for short), which is a unique ID given to each Falcon sensor.
Adding the AID to the query limits the scope of your query to the sensor with that AID and greatly reduces the time and
computational cost of your search.
Thus, the above query might end up looking like this:
aid="a9e3b67c7883497f6d18fdd1517b177d" ImageFileName=*$Recycle.Bin* event_simpleName=ProcessRollup2 | stats values(name)

values(MD5HashData) values(ComputerName) values(ImageFileName) count by aid
Using the AID in this fashion is just one way to drill down to a specific host. You can also use host name ( ComputerName="foo" ) in the
same fashion.
This is just one example, but shows how specificity matters greatly when writing Splunk queries. The more specific you can be
when writing a query, the fewer results you will have to sort through and the faster the query will run.
Let’s see how a simple query can be made more useful for you with a few simple modifications. Below is an example query that
returns a large amount of data and takes a long time to run. This query returns a list of SuspiciousDnsRequest events, the domains
to which the requests were made, the host names from which the requests were made, and the number of times the requests were
made:
event_simpleName=SuspiciousDnsRequest | stats values(ComputerName) count by DomainName
The amount of results returned by this query and the time that it takes to run make this query difficult to work with. We can fix
both of this by making our query more specific.
Let’s start reducing the number of results by limiting the query to a single AID, which would return a list of SuspiciousDnsRequest
events that occurred on the host running the Falcon sensor with that particular AID:
aid="a9e3b67c7883497f6d18fdd1517b177d" event_simpleName=SuspiciousDnsRequest | stats values(ComputerName) count by DomainName
Next, we can further reduce our results list by specifying a timeframe. Instead of searching across 30 days of data, let’s search for
instances of this event in the last 24 hours using the "earliest" and "latest" keywords:
aid="a9e3b67c7883497f6d18fdd1517b177d" event_simpleName=SuspiciousDnsRequest earliest=-24h latest=now | stats values(ComputerName)

count by
DomainName
We also know that often times requests made only once or twice instead of dozens of times are often more likely to be suspicious.
We can limit our results to a specific number of suspicious requests. In this example, we’ll say that we only want to see domains
to which fewer than three suspicious requests were made. We can do this by adding the event count condition:
aid="a9e3b67c7883497f6d18fdd1517b177d event_simpleName=SuspiciousDnsRequest earliest=-24h latest=now | stats values(ComputerName)
count by DomainName | where count <3
Alternatively, we could reduce the number of results further by returning only the top 20 or bottom 20 results based on the
number of requests made:

count by DomainName | head 20
Bottom 20 results:

count by DomainName | tail 20
It should also be noted that the Events Search and Splunk handle special character escaping differently. For example, if you
wanted to enter the path \system32\config\, you would traditionally write it and escape the backslashes like so:
"\\system32\\config\\"
However, in the Events Search, this should be written as:
"\\\\system32\\\\config\\\\"
This is particularly important when your search includes regex syntax.
By adding a timeframe, applying limits and filters, and escaping our searches properly, we can easily reduce the results list of our
Splunk query to a useful, manageable amount of information. This decreases the time and complexity of hunting adversaries in
your environment.
USE SMART MODE
In Events Search, there are different search types available to you. When hunting, we recommend use Smart Mode to search, as
this is the fastest search mode.
CHANGE VIEWS
You can view the results of any event search query with one click. You can choose Events List, Table, or Results Chart. For the
purposes of hunting, we recommend using the Raw view to view the raw data. This is also the only way you will be able to access
workflows (described later).
FILTER OUT BENIGN DATA
Hunting with Falcon is all about obtaining meaningful data. Thus, for every query you run, you will most likely want to filter out
data that you know is unnecessary. Unnecessary data could be data that is irrelevant to what you are searching for or it could
simply be data that you know is benign.
For example, let’s say you are hunting suspicious registry changes.
aid=my-aid event_simpleName=ASEP* | table timestamp ComputerName RegObjectName | sort - by timestamp
We can make this more meaningful by filtering out a registry object that we know to be benign using the "does not equal" syntax
(" != "). This reduces the amount of results we get and speeds up the time it takes to run the query.
aid=my-aid event_simpleName=ASEP* RegObjectName!="Value" | table timestamp ComputerName RegObjectName | sort - by timestamp
USE THE BUILT-IN WORKFLOWS
The Events Search page has built-in workflows that enable you to quickly and easily run pre-made queries on your search results
with the click of a button. This allows you to run powerful queries without writing a single line of Splunk syntax.
To see how this works, we’ll run the following example query. This query returns a list of all versions of Microsoft Word that are
running on my hosts (removing duplicate entries by ImageFileName and ComputerName ).
(event_simpleName=ProcessRollup* OR event_simpleName=ImageHash) FileName=WinWord.exe | dedup ImageFileName ComputerName
This query gives us the following results.
In the screenshot above, we see the raw JSON from a ProcessRollup2 event in our search results.
Let’s say we now want to see the event associated with the process that spawned this event (the "parent process"). We could
write a brand new query. Or, we could use the built-in workflows. Simply click Event Actions below the raw JSON to access the
workflow menu for the event:
Note the number of workflows that are built in. This list will vary depending on the event.
Hunting Queries
Hunting Suspicious Processes
Show me any instances of common reconnaissance tools on a host
aid=my-aid event_simpleName=ProcessRollup2 (FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe OR FileName=quser.exe

OR FileName=ping.exe OR FileName=netstat.exe OR FileName=tasklist.exe OR FileName=Hostname.exe OR FileName=at.exe) | table
ComputerName UserName FileName CommandLine
Show me any BITS transfers (can be used to transfer malicious binaries)
event_simpleName=ProcessRollup2 FileName=bitsadmin.exe (CommandLine=*/Transfer* OR CommandLine=*/Addfile*) | dedup CommandLine |

table _time aid ComputerName UserName ImageFileName CommandLine TargetFileName MD5HashData SHA256HashData | sort -_time
Show me any powershell.exe downloads
event_simpleName=ProcessRollup2 FileName=powershell.exe (CommandLine=*Invoke-WebRequest* OR CommandLine=*Net.WebClient* OR

CommandLine=*Start-BitsTransfer*) | table ComputerName UserName FileName CommandLine
Show me any encoded PowerShell commands
event_simpleName=ProcessRollup2 FileName=powershell.exe (CommandLine=*-enc* OR CommandLine=*encoded*) | table ComputerName UserName

FileName CommandLine
Show me a list of processes that executed from the Recycle Bin
To see a list of executables running from the Recycle Bin, Falcon provides you a premade report on the Events Search page under
Reports > Hunting Reports > Executables Running from Recycle Bin. You can also run the following query.
aid=my-aid ImageFileName=*$Recycle.Bin* event_simpleName=ProcessRollup2 | stats values(name) values(MD5HashData)

values(ComputerName) values(ImageFileName) count by aid
Show me a list of processes executing from User Profile file paths
Processes generally shouldn’t be executing from user spaces. These paths cover spaces that are considered to be User Paths.
aid=my-aid (event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="*\\AppData\\*" OR ImageFi

ImageFileName="*\\AppData\\Local\\*" OR ImageFileName="*\\AppData\\Local\\Temp\\*" OR ImageFileName="*\\AppData\\Roaming\\*") | regex
ImageFileName=".*\\\\Desktop\\\\\w+\.exe|.*\\\\AppData\\\\\w+\.exe|.*\\\\AppData\\\\Local\\\\\w+.exe|.*\\\\AppData\\\\Local\\\\Temp\\\
|table ComputerName UserName ImageFileName FileName SHA256HashData
Show me a list of processes executing from browser file paths
Similar to the previous query, processes typically shouldn’t be running from these locations:
aid=my-aid (event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="*\\AppData\\Local\\Micros

ImageFileName="*\\AppData\\Local\\Google\\Chrome\\*" OR ImageFileName="*\\Downloads\\*") | regex
ImageFileName=".*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\Temporary.Internet.Files\\\\\w+\.exe|.*\\\\AppData\\\\Local\\\\Mozill
| table ComputerName UserName ImageFileName FileName SHA256HashData
Show me the responsible process for starting a service
event_simpleName=ProcessRollup2 [search event_simpleName=ServiceStarted | rename RpcContextProcessId_decimal as

TargetProcessId_decimal| fields aid ContextProcessId_decimal]
Show me binaries running as a service that do not originate from “System32”
event_simpleName=ServiceStarted ImageFileName!="*\\System32\\*" | table aid ServiceDisplayName ImageFileName CommandLine

ClientComputerName RemoteAddressIP4 RemoteAddressIP6
If hunting for anomalous activity, look for services that do not originate from “Windows\System32” location. Remember to escape
the directory backslashes (“\”) with another backslash.
Show me an expected service running from an unexpected location
This is similar to the previous query but more specific - this will look for “svchost.exe” running from unexpected locations, e.g.
“C:\Windows\Temp”. You can utilize any binary name or service of interest to find anomalous behavior. “ServiceDisplayName” can
be substituted for “ImageFileName” if you want to hunt on service names instead.
event_simpleName=ServiceStarted ImageFileName="*\\svchost.exe" ImageFileName!="*\\System32\\*" | table aid ServiceDisplayName

ImageFileName CommandLine ClientComputerName RemoteAddressIP4 RemoteAddressIP6
Show me a specific service name
Certain malware and adversary tools may run as a service with specific names - if you wanted to hunt for any of these services
names, this query should allow for quick triage.
event_simpleName=ServiceStarted ServiceDisplayName=my-service | table aid ServiceDisplayName ImageFileName CommandLine

ClientComputerName
In the table fields, the "ContextTimeStamp" will provide the system time of event creation which will be useful when correlating
with the time frame of interest. The “RemoteAddressIP4" will provide the IP address of the remote machine that initiated the
request (origin) and "ClientComputerName" will provide the NetBios name of the remote machine.
Show me all CreateService events
The “CreateService” event has been updated in sensor version 2.27 to include the remote IP address (RemoteAddressIP4) as well
as the hostname (ClientComputerName) of the machine that initiated the request. If the data is available, this query will show you
the origin of the remote procedure call which could be useful in identifying compromised assets during an intrusion.
event_simpleName=CreateService | table RemoteAddressIP4 ClientComputerName ServiceDisplayName ServiceImagePath
Show me non-System32 binaries running as a hosted service
If hunting for anomalous activity, look for services that do not originate from “Windows\System32” location. Remember to escape
the directory backslashes (“\”) with another backslash.
event_simpleName=HostedServiceStarted ImageFileName!="*\\System32\\*" | table aid ServiceDisplayName ImageFileName CommandLine

ClientComputerName RemoteAddressIP4 RemoteAddressIP6
Show me a list of services that were stopped and on which hosts
event_simpleName=*ProcessRollup2 [search event_simpleName=ServiceStopped | fields cid aid TargetProcessId_decimal] | table aid

ComputerName ImageFileName
Show me when a specific hosted service has stopped
Utilize this query to alert on when key services are stopped, such as Windows Firewall (“Base Filtering Engine”) or other security
related services.
event_simpleName=HostedServiceStopped ServiceDisplayName=my-service | table aid ServiceDisplayName
Hunting Phishing Attacks & Malicious Attachments

Phishing is an attempt to acquire information such as user names, passwords, and credit card details by masquerading as a
trustworthy entity in an electronic communication.
Show me a list of attachments sent from Outlook in the past hour that have a file name of "winword.exe", "excel.exe", or
"POWERPNT.exe"
aid=my-aid event_simpleName=ProcessRollup2 earliest=-60m latest=now CommandLine=*content.outlook* FileName=winword.exe OR

Filename=excel.exe OR POWERPNT.exe | eval splitter=split(CommandLine,"Outlook\\") | eval ShortFile=mvindex(splitter,-1) | table
timestamp aid TargetProcessId_decimal ComputerName ShortFile CommandLine | sort – timestamp
Show me a list of links opened from Outlook in the last hour
aid=my-aid event_simpleName=ProcessRollup2 earliest=-60m latest=now FileName=outlook.exe | dedup aid TargetProcessId_decimal |

rename FileName as Parent | rename CommandLine as ParentCmd | table aid TargetProcessId_decimal Parent ParentCmd | join max=0 aid
TargetProcessId_decimal [search event_simpleName=ProcessRollup2 FileName=chrome.exe OR FileName=firefox.exe OR FileName=iexplore.exe
| rename ParentProcessId_decimal as TargetProcessId_decimal | rename MD5HashData as MD5 | rename FilePath as ChildPath | dedup aid
TargetProcessId_decimal MD5 | fields aid TargetProcessId_decimal FileName CommandLine] | table Parent ParentCmd FileName CommandLine
aid
To further drill down on this activity, choose a workflow from the drop-down menu associated with the ProcessRollup2 event.
Hunting Configuration and Compliance Vulnerabilities
Show me a list of web servers or database processes running under a Local System account
A Local System account is an account that the operating system uses to run a lot of core functionality. As such, a Local System
account has far more privileges than a typical user account. If a security adversary compromises a host running as Local System,
they could leverage this configuration as an exploit and would not even need to obtain credentials. It’s important to ensure that
every host running as Local System should in fact be running with this level of privilege.
event_simpleName="ProcessRollup2" (FileName=w3wp.exe OR FileName=sqlservr.exe OR FileName=httpd.exe OR FileName=nginx.exe)
UserName="LOCAL SYSTEM" | dedup aid | table ComputerName UserName ImageFileName CommandLine
Show me user accounts added to Administrator groups (local or domain)
During an intrusion, it is likely that an adversary will leverage existing user accounts after harvesting their credentials and if
these particular accounts need elevated permissions, they will be added to the administrator’s group. This query could also be
useful for insider threat activity.
event_simpleName=UserAccountAddedToGroup DomainSid="S-1-5-21-*" | stats dc(ComputerName) AS "Host Count", values(ComputerName) AS

"Host Name" by DomainSid, UserRid | eval UserRid_dec=tonumber(UserRid, 16) | fillnull UserRid | eval UserSid_readable=DomainSid."-
".UserRid_dec | lookup usersid_username.csv UserSid_readable OUTPUT UserName | rename UserSid_readable AS UserSid, UserName AS "User
Name" | table UserSid, "User Name", "Host Count", "Host Name"
Show me user accounts created with logon
It may also be useful to audit account creations when hunting for anomalous activity. For example, if you observe administrator
accounts created at 0300 local time, that may be a red flag depending on company change control policies.
event_simpleName="UserIdentity" [search event_simpleName=UserAccountCreated | fields cid UserName]
Show me the responsible process for the UserAccountCreated event Finally, it may be useful to audit account deletions when
hunting for anomalous activity. Like account creations, if the account deletions are observed outside of normal change control
times or if the account was recently created, it could be a red flag and an indication of the adversary covering their tracks.
event_simpleName=*ProcessRolllup2 [search event_simpleName="UserAccountCreated" | rename RpcClientProcessId as

TargetProcessId_decimal | fields aid TargetProcessId_decimal]
Show me all versions of a certain piece of software that are running in my environment (e.g. Adobe Flash, Microsoft Word)
Older versions of common software can contain numerous vulnerabilities. You can search for hosts that are running older
versions of software and mitigate the risk of having one of those vulnerabilities exploited. The following query will return the full
file path of a specified piece of software which will indicate the software version:
(event_simpleName=ProcessRollup* OR event_simpleName=ImageHash) FileName=SOFTWARE-NAME.EXE | dedup ImageFileName ComputerName |

stats values(ComputerName) count by ImageFileName
Example for Microsoft Word:
(event_simpleName=ProcessRollup* OR event_simpleName=ImageHash) FileName=WinWord.exe | dedup ImageFileName ComputerName | stats

values(ComputerName) count by ImageFileName
Hunting Firewall Anomalies & Vulnerabilities
It may be useful to track firewall rules being added or modified in your environment, especially outside of normal change control
hours. The following queries will show you which firewall rules were created and the process responsible. If you’re conducting an
investigation on an endpoint where exfiltration of data is suspected, looking for recently added firewall rules may help triage on
the adversary’s command and control infrastructure.
Show me all FirewallSetRule events
event_simpleName=FirewallSetRule | table aid FirewallRule RemoteAddressIP4 RemoteAddressIP6
Show me all FirewallSetRule events grouped by host
event_simpleName=FirewallSetRule | stats values(FirewallRule) by aid
Rules set (with FirewallRule key/value extraction). The following query lists all rules created along with extracting out the key/value
pairs from the FirewallRule attribute.
event_simpleName=FirewallSetRule | rex field=FirewallRule "App=(?<App>(.*?))\|" | rex field=FirewallRule "Active=(?<Active>(.*?))\|"

| rex field=FirewallRule "Profile=(?<Profile>(.*?))\|" | rex field=FirewallRule "Protocol=(?<Protocol>(.*?))\|" | rex
field=FirewallRule "Dir=(?<Dir>(.*?))\|" | rex field=FirewallRule "Desc=(?<Desc>(.*?))\|" | rex field=FirewallRule "Name=(?<Name>
(.*?))\|" | table aid FirewallRule App Name Desc Active Dir Profile RemoteAddressIP4 RemoteAddressIP6
Show me the responsible process
event_simpleName=ProcessRollup2 [search event_simpleName=FirewallSetRule | rename ContextProcessId_decimal as

TargetProcessId_decimal | fields aid ContextProcessId_decimal]
It may also be useful to identify critical firewall rules in your environment and monitor them for deletion (especially outside of
normal change control hours). These queries will show you which firewall rule was deleted and the process responsible.
Show me all FirewallDeleteRule events
event_simpleName=FirewallDeleteRule | table aid FirewallRuleId RemoteAddressIP4 RemoteAddressIP6
Show me all FirewallDeleteRule events grouped by hosts
event_simpleName=FirewallDeleteRule | stats values(FirewallRule) by aid
Show me all responsible processes
event_simpleName=ProcessRollup2 [search event_simpleName=FirewallDeleteRule | rename ContextProcessId_decimal as

The FirewallChangeOption event indicates that a firewall configuration option has been changed, such as enabling or disabling the
firewall. The data will indicate the initial process (command-line tool, custom utility, or GUI application) or remote
address/hostname that resulted in this action. It may be useful to see how often this occurs in your environment and by what
process - baselining will allow for quicker triage on the edge cases where the activity is not expected.
Show me all FirewallChangeOption events (with human-readable profile description)
event_simpleName=FirewallChangeOption |
eval FirewallProfileDescription=case(FirewallProfile=0, "INVALID", FirewallProfile=1, "DOMAIN", FirewallProfile=2, "STANDARD",
FirewallProfile=3, "PUBLIC") |
table aid FirewallOption FirewallProfileDescription FirewallOptionNumericValue FirewallOptionStringValue
Show me the responsible process for the firewall change
event_simpleName=ProcessRollup2 [search event_simpleName=FirewallChangeOption | rename ContextProcessId_decimal as

Show me the responsible process responsible for disabling firewall
event_simpleName=ProcessRollup2 [search event_simpleName=FirewallChangeOption FirewallOption=DisableFirewall | rename
ContextProcessId_decimal as TargetProcessId_decimal | fields aid ContextProcessId_decimal]
Show me the responsible process responsible for disabling firewall
event_simpleName=ProcessRollup2 [search event_simpleName=FirewallChangeOption FirewallOption=DisableFirewall | rename

ContextProcessId_decimal as TargetProcessId_decimal | fields aid ContextProcessId_decimal]
Hunting Suspicious Network Connections
Show me a list of outbound network traffic on non-standard ports
After compromising a host, adversaries will often use FTP or another tool to transfer files and other data to an external host. You
can use Falcon to hunt for those connections.
aid=my-aid event_simpleName=NetworkConnect* RemotePort_decimal=PORT (RemoteAddressIP4!=192.168.0.0/16 AND

RemoteAddressIP4!=10.0.0.0/8 AND RemoteAddressIP4!=172.16.0.0/12 AND RemoteAddressIP4!=127.0.0.0/8) | table ComputerName aid
LocalAddressIP4 LocalPort_decimal RemoteAddressIP4 RemotePort_decimal
Show me a list of unusual (fewer than 10%) connections to remote ports, excluding a known good port
aid=my-aid event_simpleName=NetworkConnect* RemotePort_decimal!=PORT | rare RemotePort_decimal | rename RemotePort_decimal TO

"Remote Port" | where percent < 10 | sort by percent
Show me all networks connections to well-known remote ports, excluding ephemeral ports
aid=my-aid event_simpleName=NetworkConnect* RemotePort_decimal<=1024 | rare RemotePort_decimal | rename RemotePort_decimal TO

"Remote Port" | where percent < 10 | sort by percent
Show me a list of low-volume domain name requests
Domain names that are commonly looked up will receive many requests. You can hunt for low-volume domain name requests,
since this might indicate anomalous behavior and, potentially, suspicious requests. Below is the base query and an example that
shows how you should apply filtering to it.
aid=my-aid event_simpleName=DnsRequest | regex DomainName=".*\..*" | stats values(ComputerName) count by DomainName | where count <4
| sort – count
For example, adding the following would remove all DomainName requests to the top level domain "google.com":
aid=my-aid event_simpleName=DnsRequest DomainName!=*google.com | regex DomainName=".*\..*" | stats values(ComputerName) count by

DomainName | where count <4 | sort – count
Uncommon processes making network connections or DNS Requests
Typically, programs like Notepad and other operating system utilities will not be making network connections. Any such behavior
could be suspicious. Given a process name, you can run this query to determine if a process is making network connections or
DNS requests:
aid=my-aid event_simpleName="DnsRequest" | rename ContextProcessId_decimal as TargetProcessId_decimal | join TargetProcessId_decimal

[search aid=my-aid event_simpleName="ProcessRollup2" ImageFileName="*PROCESS"] | table ComputerName timestamp ImageFileName
DomainName CommandLine
Example for Notepad:
aid=a9e3b67c7883497f6d18fdd1517b177d event_simpleName="DnsRequest" | rename ContextProcessId_decimal as TargetProcessId_decimal |

join TargetProcessId_decimal [search aid=a9e3b67c7883497f6d18fdd1517b177d event_simpleName="ProcessRollup2"
ImageFileName="notepad.exe"] | table ComputerName timestamp ImageFileName DomainName CommandLine
Uncommon processes making network connections to remote IP addresses on a specific host
aid=my-aid event_simpleName="NetworkConnectIP4" | rename ContextProcessId_decimal as TargetProcessId_decimal | join

TargetProcessId_decimal [search aid=my-aid event_simpleName="ProcessRollup2" ImageFileName="*PROCESS"] | table ComputerName
timestamp ImageFileName RemoteAddressIP4 CommandLine
Show all Remote Desktop Protocol (RDP) connections observed on a specific host
aid=my-aid event_simpleName=UserIdentity LogonType_decimal=10 | table timestamp ComputerName UserName UserPrincipal LogonServer
Hunting Anomalous Behavior
Show me processes that only ran a few of times on a specific host
Trusted processes are more likely to run dozens of times on a host. By searching for processes that ran only a few times, you can
hunt for anomalous activity that may help spot malicious processes. Adversaries understand the need to avoid using highly
visible processes, if they are to stay under the radar.
aid=my-aid event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 | stats count by SHA256HashData ImageFileName

ComputerName UserName | where count <5 | sort – count
Show me all deleted user accounts
It may be useful to audit account deletions when hunting for anomalous activity. Like account creations, if the account deletions
are observed outside of normal change control times or if the account was recently created, it could be a red flag and an
indication of the adversary covering their tracks.
event_simpleName=UserAccountDeleted | table aid UserName UserRid
Hunt for file name or command line arguments matching Regex
When an adversary delivers a malicious file to a host, they’ll likely change or vary the file name so that it’s harder for analysts to
find. This is very common tactic used for fishing campaigns. Adversaries will use a different name for each file, but they will still
follow some kind of a logical pattern, as the files are likely to be created programmatically. Thus, the file will not have the same
name on each host, but we can nevertheless use an expression to hunt for them.
It should be noted that the event search handles special character escaping differently. For example, if you wanted to enter the
path \system32\config\, you would traditionally write it and escape the backslashes like so:
"\\system32\\config\\"
However, this should be written as:
"\\\\system32\\\\config\\\\"
CommandLine Query
aid=my-aid event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 | regex CommandLine="REGEX" | table

ComputerName UserName FileName ImageFileName CommandLine
FileName Query
aid=my-aid event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 | regex ImageFileName="REGEX" | table

ComputerName UserName FileName ImageFileName CommandLine
Hunting Anomalies Related to Scheduled Tasks
The following two queries provide examples on how to work with the fields belonging directly to the event or extracting content
from a scheduled task's XML content. These queries may be useful in hunting for anomalies within your network. Adversaries will
utilize “schtasks.exe” and “at.exe” to schedule the launch of their tools, malware (implants) and scripts on remote machines,
which allows them to spread throughout your network and maintain persistence.
Show me ScheduledTaskRegistered events by host
event_simpleName=ScheduledTaskRegistered |
stats values(TaskName) as TaskName values(TaskExecCommand) as TaskExecCommand values(TaskAuthor) as TaskAuthor
values(ClientComputerName) as ClientComputerName values(RemoteAddressIP4) as RemoteAddressIP4 values(RemoteAddressIP6) as
RemoteAddressIP6 by aid
Show me remote tasks registered by host
event_simpleName=ScheduledTaskRegistered ClientComputerName!="" |
stats values(TaskName) as TaskName values(TaskExecCommand) as TaskExecCommand values(TaskAuthor) as TaskAuthor
values(ClientComputerName) as ClientComputerName values(RemoteAddressIP4) as RemoteAddressIP4 values(RemoteAddressIP6) as
RemoteAddressIP6 by aid
It may also be worthwhile to monitor scheduled tasks that are deleted outside of normal change windows based on your
company's policies.
Show me ScheduledTaskDeleted events by host
event_simpleName=ScheduledTaskDeleted |
stats values(TaskName) as TaskName values(ClientComputerName) as ClientComputerName values(RemoteAddressIP4) as RemoteAddressIP4
values(RemoteAddressIP6) as RemoteAddressIP6 by aid
Show me remote tasks deleted by host
event_simpleName=ScheduledTaskDeleted ClientComputerName!="" |
stats values(TaskName) as TaskName values(ClientComputerName) as ClientComputerName values(RemoteAddressIP4) as RemoteAddressIP4
values(RemoteAddressIP6) as RemoteAddressIP6 by aid
Scheduled tasks can be configured to run under many conditions, including:
At log on
At startup
At a specific time
On a schedule
On an event
On idle
More information can be found here: Trigger Types (MSDN)
Show me events triggered at log on
event_simpleName="ScheduledTaskRegistered" | spath input=TaskXml output=Trigger path=Task.Triggers.LogonTrigger | search Trigger=*
Show me events triggered at startup
event_simpleName="ScheduledTaskRegistered" | spath input=TaskXml output=Trigger path=Task.Triggers.BootTrigger | search Trigger=*
Show me events triggered at a specific time
event_simpleName="ScheduledTaskRegistered" | spath input=TaskXml output=Trigger path=Task.Triggers.TimeTrigger | search Trigger=*
Show me events that are scheduled
event_simpleName="ScheduledTaskRegistered" | spath input=TaskXml output=Trigger path=Task.Triggers.CalendarTrigger | search

Trigger=*
Show me events triggered on an event
event_simpleName="ScheduledTaskRegistered" | spath input=TaskXml output=Trigger path=Task.Triggers.EventTrigger | search Trigger=*
Show me tasks scheduled by logon type
The logon type sets the logon method to run the tasks. More information is available under LogonTypes (MSDN)
event_simpleName="ScheduledTaskRegistered" | spath input=TaskXml output=LogonType path=Task.Principals.Principal.LogonType
Show me tasks scheduled by user ID
UserID is either an in-built Windows SID or username in the format \
event_simpleName="ScheduledTaskRegistered" | spath input=TaskXml output=UserId path=Task.Principals.Principal.UserId
Show me tasks scheduled by run level
The RunLevel specifies the privilege level required to run the tasks. More information is available under RunLevel (MSDN)
event_simpleName="ScheduledTaskRegistered" | spath input=TaskXml output=RunLevel path=Task.Principals.Principal.RunLevel
Show me tasks scheduled with ComHandler
event_simpleName="ScheduledTaskRegistered" | spath input=TaskXml output=ClassId path=Task.Actions.ComHandler.ClassId | search

ClassId=*
Show me hidden scheduled tasks
event_simpleName=| spath input=TaskXml output=Hidden path=Task.Settings.Hidden |"ScheduledTaskRegistered" search Hidden=true
Hunting Suspicious Registry Changes
The Windows registry is a hierarchical database that stores the values of variables in Windows and the applications and services
that run on Windows. The operating system and other programs also use the registry to store data about users and about the
current configuration of the system and its components. Most end users never need to view or edit the registry. The
administrative tools and Windows interface enable users to safely change their preferences and the services and features of the
operating system. However, in rare instances, the only way to change an operating system variable is by editing the registry.
Thus, because the registry contains sensitive, protected information about users and the host’s configuration, it is a common
target of security adversaries.
aid=my-aid event_simpleName=ASEP* | table timestamp ComputerName RegObjectName | sort - by timestamp
We recommend using filters when running this query, which are explained in the Best Practices section at the beginning of this
document.
Show me persistence (Run Key)
This query will allow you to hunt on persistence set via Run keys from a remote machine. This activity may be an indicator of
attack as the adversary would likely be attempting to establish and maintain control on the target host. The “RemoteAddressIP4”
and “ClientComputerName” if present will yield where the origin of the activity.
Run | Search event_simpleName=RegRemoteRegistry | table RemoteAddressIP4 ClientComputerName event_simpleName RegObjectName

ImageFileName
Hunting Java Malware, Trojans, & Exploits
HUNTING JAVA MALWARE/TROJANS
Show me DNS requests spawning from javaw.exe process (beaconing):
event_simpleName="DnsRequest" | rename ContextProcessId_decimal as TargetProcessId_decimal | join TargetProcessId_decimal [search

event_simpleName="ProcessRollup2" ImageFileName="*javaw.exe"] | table ComputerName timestamp ImageFileName DomainName CommandLine
Show me .JAR files written to %AppData%
event_simpleName=NewExecutableWritten TargetFileName="*\\AppData\\Roaming\\*\\*\.jar" | table ComputerName timestamp ImageFileName

DomainName CommandLine
Show me .JAR files executed from %AppData*
event_simpleName=ProcessRollup2 FileName=javaw.exe CommandLine=*appdata* CommandLine=*-jar*| table event_simpleName ComputerName

timestamp ImageFileName DomainName CommandLine
Show me ASEP for Java executables
event_simpleName=AsepValueUpdate RegObjectName=*\\Run (RegValueName=*\.jar OR ImageFileName=*\.jar OR CommandLineParameters=*\.jar)

| table _time event_simpleName ContextImageFileName RegPostObjectName RegObjectName RegStringValue RegValueName
CommandLineParameters ImageFileName | sort by -_time
HUNTING JAVA EXPLOITS:
Show me the Java.exe process writing executable files:
This query is used exclusively for portable executable files.
event_simpleName=PeFileWritten | rename ContextProcessId_decimal as TargetProcessId_decimal | join TargetProcessId_decimal [search

event_simpleName=ProcessRollup2 FileName=java.exe] | table _time cid aid Customer ComputerName event_simpleName UserName
ImageFileName CommandLine TargetFileName FileName MD5HashData SHA256HashData CommandHistory | sort -_time
This NewExecutableWritten event is generated when an executable file extension is written, whether or not it is truly an executable
file type. Any file that ends with a known executable file extension (e.g. .exe, .bat, .scr) will generate this event.
event_simpleName=NewExecutableWritten | rename ContextProcessId_decimal as TargetProcessId_decimal | join TargetProcessId_decimal

[search event_simpleName=ProcessRollup2 FileName=java.exe] | table _time cid aid Customer ComputerName event_simpleName UserName
ImageFileName CommandLine TargetFileName FileName MD5HashData SHA256HashData CommandHistory | sort -_time
Hunt for child process of "whoami" spawning underneath Java.exe process:
You can substitute "whoami" for any recon commands:
event_simpleName=ProcessRollup2 FileName=java.exe | rename TargetProcessId_decimal as ParentProcessId_decimal | join

ParentProcessId_decimal [search event_simpleName=ProcessRollup2 FileName=whoami.exe] | table _time cid aid Customer ComputerName
event_simpleName UserName ImageFileName CommandLine TargetFileName FileName MD5HashData SHA256HashData CommandHistory | sort -_time
Walkthroughs
The walkthroughs below show how Falcon allows you to quickly deep dive on different types of IOCs.
Hunting Walkthrough: Domain IOC
Let's walk through an example of how the Falcon web interface helps you hunt when starting with a domain type IOC.
. Sign in to the Falcon web interface and open the Bulk Domain Search page.
. Enter the domain that you are searching for and specify a time range (Note: Falcon lets you use wildcards in the search
field).
In the search results, you will see a domain lookup summary that shows all DNS requests made to that domain. The results
also include the host name that made each request, the date on which the request was first made, a quick link to do a
WHOIS lookup for the domain, and other useful information. You will also see any processes that looked up that domain, if
present, and a list of suspicious domain lookups.
. From here, you can have multiple options.
First, if you see a suspicious DNS request on a host that you know is malicious, you can click Contain to go to the Host
Details page to quickly contain the host.
Alternatively, you can click View to pivot to the Process Tree to see which process made the request, and if you believe
that the host has been compromised, you can contain the host from that page as well.
Finally, you can click one of the domain names in the domain lookup summary list. This opens the Event Search page with
a pre-populated DnsRequest event search for the selected domain name in raw JSON format. You can view the events in a
timeline at the top or use the filters on the left side of the page to quickly filter down to specific values (e.g. a specific
time or sensor AID). For more information on CrowdStrike events, see the Events Data Dictionary on the Docs page in the
UI.
. You can then use the built-in workflows to quickly pivot to other searches during your investigation.
Note that from this screen, you can also choose "View Process Explorer for the responsible processes" to quickly pivot back
the Process Tree, which allows you to triage and investigate using a visual representation of the event, making it easier to
understand the relationship between processes involved in the DNS request.
Hunting Walkthrough: IP IOC
Let's walk through an example of how the Falcon web interface helps you hunt when starting with an IP IOC.
. Sign in to the Falcon web interface and open the Source IP Search page.
. Enter the IP that you are searching for and specify a time range. In the search results, you will see key details such as the
host name of any host that matches the IP, first/last seen dates, agent version (the version of the sensor that the host is
running), organizational unit (OU) and other geographical information.
. Next, click one of the host names in the list. This opens the Host Search page with a pre-populated search for that host. In
the results, you will see a wide range of data including basic host information, detect history for the host, a list of
unresolved detects for the host, and a list of network connection and network listening events.
You can even view a world map of external network connections for that host.
Hunting Walkthrough: Hash IOC
Let's walk through an example of how the Falcon web interface helps you hunt when starting with a hash IOC.
. Sign in to the Falcon web interface and open the Hash Search page.
. Enter the MD5 or SHA256 that you are searching for and specify a time range. You can search by file name, command line
string, host name, or user name.
In the search results, you will see the Process Execution History section for the hash (historical summary of execution
details such as the total number of executions) as well as a Process Execution section, which breaks out each individual
instance that the hash was executed, the time of execution, and other key process details.
Furthermore, under Process History, click either the MD5 or SHA256 hash to open a pre-populated Virus Total search with
the selected hash.
. As is often the case, let's say our results list is simply too long to sort through, and we need a way to narrow down our hash
search to a specific host or hosts. Falcon makes it easy to search within your results, meaning you can quickly narrow down
results even further by entering, for example, a specific host name (shown below).
Troubleshooting
Problem Solution
Seeing no results can mean many things. To begin with, try removing individual parts of the query until
My query runs you start seeing results. From there, add additional syntax piece by piece until you stop receiving results.
successfully but This will help you isolate which part of your query’s syntax is causing you to receive no results. See
returns no results. the Events Data Dictionary for sample queries for your particular event or other events which may help
you diagnose the issue.
To begin with, try removing individual parts of the query until you start seeing results. This will help you
My query fails to isolate which part of your query’s syntax is causing the issue. See the Events Data Dictionary for
run. additional sample queries for your particular event or other events which may help you diagnose the
issue.
Ensure that you’d included a timeframe, platform, and, if possible, a host name to your query. Try
My query takes too
shortening your timeframe, if possible, and work your way up to a larger timeframe. Joins can be
long.
particularly time-intensive.
Something specific
Try adding the specific host name to the query. Then, try removing individual parts of the query until you
I’m searching for is
start seeing results. This will help you isolate which part of your query’s syntax is causing you to receive
failing to show up in
no results.
the search results.
Something specific Identify which piece of data should not be there and revisit the portion of the syntax that you feel should
is erroneously exclude that from your search results. This will help you isolate which part of your query’s syntax is
showing up in the causing you to receive results where there should be none. There may also be an issue with your config.
results. Contact Support if the issue continues.
Problem Solution
Seeing no results can mean many things. To begin with, try removing individual parts of the query until
My query runs you start seeing results. From there, add additional syntax piece by piece until you stop receiving results.
successfully but This will help you isolate which part of your query’s syntax is causing you to receive no results. See
returns no results. the Events Data Dictionary for sample queries for your particular event or other events which may help
you diagnose the issue.
To begin with, try removing individual parts of the query until you start seeing results. This will help you
My query fails to isolate which part of your query’s syntax is causing the issue. See the Events Data Dictionary for
run. additional sample queries for your particular event or other events which may help you diagnose the
issue.
Ensure that you’d included a timeframe, platform, and, if possible, a host name to your query. Try
My query takes too
shortening your timeframe, if possible, and work your way up to a larger timeframe. Joins can be
long.
particularly time-intensive.
Something specific
Try adding the specific host name to the query. Then, try removing individual parts of the query until you
I’m searching for is
start seeing results. This will help you isolate which part of your query’s syntax is causing you to receive
failing to show up in
no results.
the search results.
Something specific Identify which piece of data should not be there and revisit the portion of the syntax that you feel should
is erroneously exclude that from your search results. This will help you isolate which part of your query’s syntax is
showing up in the causing you to receive results where there should be none. There may also be an issue with your config.
results. Contact Support if the issue continues.
Appendix A: Investigate App Pages
The Investigate App lets you search for specific hashes, file names, command line arguments, IP addresses, and specific
computers and users. The Investigate App contains these pages for investigating and hunting for events:
Host Search
Hash Search
User Search
Source IP Search
Bulk Hash Search
Bulk Domain Search
Event Search
USB Device Usage
Containers
Mobile Hosts
These searches help you quickly collect relevant information during incident triage and hunting.
Time range: When you set a time range for your Investigate searches, we recommend using a time range of 3 days or
shorter. Longer time ranges can take several minutes to display.
Spectre & Meltdown
The Spectre & Meltdown dashboard helps you assess how well your Windows hosts are protected from two security
vulnerabilities published in January 2018:
“Spectre” (Variant 2: Branch Target Injection, CVE-2017-5715)
“Meltdown” (Variant 3: Rogue Data Cache Load, CVE-2017-5754)
This dashboard only displays information about Windows hosts running sensor version 3.9.6009 or later.
MITIGATING SPECTRE
Mitigating Spectre involves three components and applies to both software and hardware:
Set a registry key specified by Microsoft. (This component applies to software.)
Install a software patch from Microsoft. (This component applies to software.)
Update your processor's firmware/BIOS. The specific steps depend on the hardware used in your hosts, but Microsoft
provides an index of major hardware vendors. (This component applies to hardware.)
Variant 2 (aka Spectre) Microsoft patch

Registry key set? Firmware updated? Recommended action
Patch Status installed?
None - this host is protected

Protected Yes Yes Yes against the Variant 2 (Spectre)
vulnerability.
Unprotected – No Apply the microcode update from

Yes Yes No
Microcode your hardware vendor.
Set the registry key specified by

Unprotected – No
Microsoft.Apply the microcode
Microcode and Disabled Yes No No
update from your hardware
by Registry
vendor.
Unprotected – with
Set the registry key specified by
Microcode but Disabled Yes No Yes
Microsoft.
by Registry
Apply the software patch from

Microsoft.Set the registry key
Unpatched No No No specified by Microsoft.Apply
the microcode update from your
hardware vendor.
MITIGATING MELTDOWN
Mitigating Meltdown involves two components and applies only to software:
Set a registry key specified by Microsoft. (This component applies to software.)
Install a software patch from Microsoft. (This component applies to software.)
On certain hardware, using this software patch can slow your host's processing performance. See Microsoft's blog
post about the performance impact of the mitigation.
Variant 3 (aka Meltdown) Patch Microsoft patch

Registry key set? Recommended action
Status installed?
None - this host is protected from the Variant 3

Protected – Minimal (Meltdown) vulnerability.
Yes Yes
Performance Impact This host's hardware is expected to perform only
slightly slower as a result of the software patch.
None - this host is protected from the Variant 3

(Meltdown) vulnerability.
Protected – Visible
Yes Yes This host's hardware is expected to perform
Performance Impact
noticeably slower as a result of the software
patch.
Unprotected Yes No Set the registry key specified by Microsoft.
Replace this host with a device that uses a 64-bit

Unprotected – due to x86 Yes No operating system
Set the registry key specified by Microsoft
Apply the software patch provided by Microsoft.

Unpatched – Minimal
No No This host's hardware is expected to perform only
Performance Impact Expected
slightly slower after applying the software patch.
Apply the software patch provided by Microsoft.

Unpatched – Visible This host's hardware is expected to perform
No No
Performance Impact Expected noticeably slowerafter applying the software
patch.
Replace this host with a device that uses a 64-

bit operating system
Unpatched – due to x86 No No Set the registry key specified by Microsoft
Apply the software patch provided by
Microsoft
Host Search
Use Host Search to search for events across all Windows and Mac hosts in your environment. Due to differences in these
platforms, some items may not be available for both Windows and Mac.
Searchable activity includes:
Host info
Map of external network connections
List of external network connections (by country, including the port and the # of connections)
Detection history (last 14 days)
Unresolved Detects (last 7 days)
Local and External IPs (last 7 days)
Unique Users Logged on (last 7 days)
Unique ASEP values updated
Unique ASEP keys updated
Unique Executables Written
Unique Injected Threads
Unique DLL Injections
Browser-injected Threads from Unsigned Module(s)
Unique Java-injected Threads
Command History
Process Executions
Admin Tool Usage
Possible Scripting Activities
DNS Requests
Network Connections
Network Listening
RAR/Zip File Written
Scripts Written
Executable Activities
Removable Media Usage
Hash Search
Use Hash Search to search for events by hash across all Windows and Mac hosts in your environment. Due to differences in these
platforms, some items may not be available for both Windows and Mac.
Searchable hash information includes:
Hash Written History (SHA256-only)
Module Load History
Process Execution History
Detect History (last 14 days)
Process Executions
You can export the data to a PDF by clicking the Export PDF button on the right side of the screen.
User Search
Use User Search to search for user activity across all Windows and Mac hosts in your environment. Due to differences in these
platforms, some items may not be available for both Windows and Mac. Results in this report are filtered if:
The user logging on is one of the well-known security identifiers. (see Microsoft's documentation)
The logon session is NOT an interactive session or a service account.
Though the results are filtered, the raw events for these logons are still captured in Event Search
Searchable user activity includes:
Logon Activities (last 30 days)
Detect History (last 30 days)
Process Executions
Admin Tool Usage
Files written (JAR, OLE, OOXML, PDF, RAR,RTF, ZIP, dumps)
Source IP Search
Search for host information by IP. Source IP search allows you to use wildcards (e.g. 192* ).
Bulk Hash Search
Search for multiple hashes (MD5/SHA256/SHA1*) and detect/process execution history. Bulk Hash Search allows you to use
wildcards (e.g. c32* ).
*SHA1 is deprecated as of Falcon sensor 5.11.
Bulk Domain Search
Search for detect and process execution history involving a domain or list of domains. Bulk Domain Search allows you to use
wildcards (e.g. evildoma* ).
Event Search
The Event Search page is where you can find pre-made reports and pre-made searches that allow you to view data collected from
your endpoints. This page also provides you with a powerful custom search tool that allows you to analyze, explore, and hunt for
suspicious or malicious activity in your environment.
Tip: Read our Events Data Dictionary for specific data on key CrowdStrike events that you find when using the Event
Search page.
The Event Search page is divided into several different sections:
Search: Provides direct access to Falcon endpoint metadata, where events can be queried and processed using Splunk, a
powerful query language. This view can be utilized when the prebuilt Falcon dashboards and reports do not contain the desired
results, or when you want to write a custom query. However, the stock dashboards in the Falcon console will be sufficient most
of the time. For detailed information on CrowdStrike events and how to search for them, see the Events Data Dictionary.
Activity: Provides four different dashboard views:
Detection Activity page This feature applies only to Managed Security Service Providers (MSSP) partners and customers
with multiple Customer IDs (CID). This page, available at Investigate App > Event Search > Activity > Detection Activity, allows
users to view all detections associated with all CIDs they have access to. While viewing the Detection Activity page, users
can click on any detection to open Falcon UI Process Explorer in a new browser tab to view the detection without the need to
manually toggle to the correct CID. Users can perform triage actions such as assigning detection, adding comments, contain
host, resolve detection, etc. When finished triaging the detection, users can close the browser tab and return to the
Detection Activity page to continue working on the next detection. Note that some applications on the left navigation menu
such as Dashboards, Users, etc. will not be available on the auto-toggled browser tab.
Falcon DNS: This dashboard is available to users who also subscribe to Falcon DNS services.
Linux Sensors: Provide a comprehensive view of activities on Linux hosts.
Mac Sensors: Provide a comprehensive view of activities on Mac hosts.
Timeline: Provides the ability to generate a "Host Timeline" and a "Process Timeline." This allows you to view all relevant events
for a specific computer or all events associated with any user-specified process execution.
Reports: Offers various canned reports surrounding activities that typically indicate suspicious activity occurring on a system.
Available reports are listed below.
Files Written to Removable Media: Search for file written activities to removable media.
Machine Learning Prevention: View malware that would have been blocked in your environment during the last 30 days based
on different Machine Learning Prevention settings (Cautious, Moderate, or Aggressive).
PowerShell Hunt: Allows users to search for suspicious PowerShell activities.
Prevention Policy Audit Trail: View audit trail for all policies.
Hunting Reports: Provides fast access to automated hunting queries in the "Search" view. Hunting report options:
Command Line and ASEP Activity from Network-capable Processes
Executables Running from Recycle Bin
Executables Running from Temporary Directories
Scheduled Task Creations
Visibility Reports: Provides fast access to automated queries in the "Search" view. Visibility report options:
Logon Activities
Remote Access Graph: Provides a graphical representation of relationships between users and systems that have been
remotely accessed. This allows you to search for users who are remotely logged on to devices based on logon type. You
can search for either Terminal Server logons (Type 10, e.g., RDP) or Network Server (Type 3) logons.
Remote or Network Logon Activities
Unique Hosts Connecting to Countries Map: Provides a map of unique hosts making connections to different countries. You
can search based on destination IPs and ports, and double-click a country to drill down into details surrounding these
connections. Details provided include the timestamp, computer name, process ID, local IP, local port, destination IP, remote
port, aid, and country.
Sensors: Contains a series of reports to help admins manage deployment and coverage of CrowdStrike sensors.
Sensor Report: Provides an overview of active sensors in your environment.
Newly Installed Sensors: Provides a list of sensors that have been recently installed.
Inactive Sensors: Provides a list of sensors that have not reported in a given timeframe. Note that sensors that have been
inactive for more than 45 days will be deleted.
Sensor Coverage Lookup: Search by host name to see if a sensor has been installed on that host. Accepts a space-delimited
list of hosts so admins can provide multiple hostnames. Limited to 50 hosts.
Sensor Policy Daily Report: Review the groups and policies assigned to a host. Note that this report is only updated once a
day, so information may not always be up to date. If you have not purchased an app like Prevent or Device Control, your
sensors will be assigned to the platform_default policy.
UNDERSTANDING EVENT SEARCHES
The search capabilities in the Falcon console provide direct access to Falcon endpoint metadata, where each event can be
queried using Splunk, a powerful query language. The search feature can be used when the prebuilt Falcon dashboards/reports
do not contain the desired results, or when you want to write a custom query.
The Events Data Dictionary provides information about CrowdStrike events found when using the Event Search page. We also
recommend that you read the Splunk Enterprise Quick Reference Guide for more information about Splunk and to get started
writing Splunk queries. For an introduction to advanced hunting queries, we recommend that you read the Hunting Guide for
Windows.
WHAT'S IN EVENT SEARCH?
Command line activity
Domain requests for each process
Outbound network connections
Archive files
Process injection
AV engine results
Files written and deleted
WHAT'S NOT IN EVENT SEARCH?
Historical computer metadata:
Falcon only captures metadata since the time of sensor installation on a host.
The amount of historical data contained in Event Search will vary depending on your data plan.
This kind of historical system metadata is captured via a tool like CrowdStrike's CrowdResponse, triage scripts, or some
other type of enterprise scanning tool that can quickly search for IOCs across multiple systems.
Inbound network connections: As mentioned above, the Event Search functionality only identifies outbound network
connections.
MD5s, SHA1*, SHA256 hashes are calculated only for DLLs & EXEs. This prevents searching for/collecting non-binary hash
data.
*SHA1 is deprecated as of Falcon sensor 5.11.
USING THE SEARCH PAGE
Let's walk through a small example:
. In the search bar, enter the following syntax, which says "search for DNS Request events made on Windows hosts in my
environment."
event_simpleName=DnsRequest event_platform=Win
. Set the timeframe to "Last 15 minutes" which limits the timeframe of your search.
. Set the search to Verbose Mode, and then click the magnifying glass to search.
This will return a JSON response of data for every DnsRequest event on Windows hosts in your environment in the last 15 minutes.
Specifying a platform and a timeframe greatly reduces the time it takes to search. You can also use the Event Sampling
functionality to gather a random sample of events (100, 1,000, etc.).
WORKFLOWS
Event workflows are automated searches that can be used to pivot between related events and searches. Every event has a
workflow. Workflows enable you to quickly and easily run pre-made queries on search results, meaning you can run powerful
queries (written by CrowdStrike's hunting experts) without writing a single line of Splunk syntax. Note that workflows only
appear in Verbose Mode (enabled by default).
To use a workflow, click the Event Actions button at the bottom of the JSON for any raw event:
When selected, a workflow will open in a new tab or window. Workflow searches may not produce results for every event.
Containers
Falcon’s container security shows runtime information about containers in your environment. Use container info to review your
containers, see trends on container usage, and identify containers that use risky configurations.
Investigate > Containers provides dashboards to help you investigate activity on containers running on your Linux hosts.
BEFORE YOU BEGIN
Familiarize yourself with container technology and terms.
System requirements:
Falcon sensor for Linux version 5.27 or later
Open Container Initiative (OCI) compatible containers, such as Docker
Subscription requirements: Falcon for AWS
Role requirements: Falcon Administrator, Falcon Security Lead, or any other role that can access Investigate
UNDERSTANDING LINUX CONTAINER SECURITY
CONTAINER DASHBOARDS
The Container dashboards at Investigate > Containers help you distinguish activity within a container from activity on a host. Use
this info to track activity on your hosts that run containers.
Dashboards only show information about containers that were started after the Falcon sensor was installed. When you
install a sensor, restart the containers on that host for full visibility.
DETECTION AND PREVENTION POLICIES
Prevention policies assigned to a Linux host also apply to containers running on that host. This includes:
Cloud ML detections
Indicator of Attack detections
Custom hash blocking
Blocklisted file preventions
Detections and preventions only show information about containers that were started after the Falcon sensor was
installed. When you install a sensor, restart the containers on that host for full visibility.
DETECTION AND PREVENTION POLICIES
USING CONTAINER DASHBOARDS
Go to Investigate > Containers to find the Container dashboards.
CONTAINER USAGE
See a high-level overview of the containers running on your Linux hosts, including the number of active containers, the number of
your hosts running containers, and more. Use the Hosts Running Containers Over Time and Total Containers Running Over Time
graphs to get context about whether the current container counts are anomalous for your environment.
CONTAINER CONFIGURATIONS
Identify containers that are running with risky configurations. Use the Container Configurations dashboard to identify containers
that have unusual launch modes (privileged permissions, interactive, or out-of-memory kill disabled modes), mount points, and
more.
These configurations aren’t always dangerous, and your organization may choose to use them for good reasons. Use these
dashboards to ensure that your containers are configured as expected -- and that containers aren’t using risky configurations
unnecessarily.
Filter containers:
To filter the container list for specific elements of risky configurations, select Yes in the relevant field’s dropdown menu
Search for containers:
Enter a host’s agent ID to find containers related to a specific host
Enter a full or partial (with the * wildcard) container name to find a specific container
Click a maintainer or user account to find associated containers
CONTAINER BY HOST
View all the containers in your environment sorted by their host. To find containers related to a specific host, enter the host’s
agent ID.
CONTAINER BY IMAGE
View all the containers in your environment sorted by their image. Enter a container image name to get details on the active
containers based on that image.
To find images related to a specific host, enter the host’s agent ID.
To find all containers based on an image, enter a full or partial (with the * wildcard) image name.
Mobile Hosts
Mobile Hosts is where to search for and view detections and events across all mobile hosts in your environment.
Requirements:
Subscription: Falcon for Mobile
Sensor support: CrowdStrike Falcon app for iOS and Android. Mobile detections are supported on 2020 versions and later.
System requirements: None
Roles: Users with these roles can see mobile detections: Falcon Administrator, Falcon Security Lead, Falcon Investigator, Falcon
Analyst, Falcon Analyst - Read Only, Event Viewer
SEARCH
Provides direct access to mobile host metadata, where you can query and process detections and events using Splunk, a powerful
query language. This view can be used when the prebuilt Falcon dashboards and reports do not contain the desired results, or
when you want to write a custom query. However, the stock dashboards in the Falcon console will be sufficient most of the time.
For detailed information on CrowdStrike’s mobile events and how to search for them, see the Events Data Dictionary.
ACTIVITY > MOBILE HOSTS
Provides visualizations of basic statistics about your mobile hosts, including platform, OS version, and device models.
ACTIVITY > MOBILE DETECTIONS
Mobile Detections is your dashboard to monitor the kind of detections activity being reported from your mobile hosts.
NOTE: Use Custom Alerts to configure email notifications about detections on mobile hosts using the Mobile Host Detections
template.
Quickly understand the severity of the detections on your mobile hosts and what tactics and techniques are involved using the
graphs. Hover over to see more information.
In the Detection Details table, see key details and use column sorting to zone in on common aspects among detections such as
detection severity or device model.
Click on a detection’s informational cells to go to its Mobile Hosts Report. The informational cells are:
Timestamp
User
Severity
aid (Agent ID)
Detection
Model
MITRE ID
Details
Click on a detection’s MITRE Tactic and MITRE Technique cells to open documentation to learn more about that specific tactic
or technique.
TIMELINE > MOBILE TIMELINE REPORT
Provides the ability to generate a Host Information timeline and a process timeline. This allows you to view all relevant events for
a specific mobile host or all events associated with a specific process execution.
REPORTS > MOBILE HOSTS REPORT
See information about detections on specific mobile hosts in Investigate > Mobile Hosts > Activity > Mobile Detections.

Hunting and Investigation - Documentation - Support - Falcon PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Hunting and Investigation - Documentation - Support - Falcon PDF

Caricato da

Copyright:

Formati disponibili

5/6/2020 Hunting and Investigation | Documentation | Support | Falcon

Last updated: Apr 16, 2020

Hunting Walkthrough: Hash IOC

WRITE SPECIFIC QUERIES

aid=my-aid ImageFileName=*$Recycle.Bin* event_simpleName=ProcessRollup2 | stats values(name) values(MD5HashData)

Thus, the above query might end up looking like this:

aid="a9e3b67c7883497f6d18fdd1517b177d" ImageFileName=*$Recycle.Bin* event_simpleName=ProcessRollup2 | stats values(name)

event_simpleName=SuspiciousDnsRequest | stats values(ComputerName) count by DomainName

aid="a9e3b67c7883497f6d18fdd1517b177d" event_simpleName=SuspiciousDnsRequest | stats values(ComputerName) count by DomainName

aid="a9e3b67c7883497f6d18fdd1517b177d" event_simpleName=SuspiciousDnsRequest earliest=-24h latest=now | stats values(ComputerName)

aid="a9e3b67c7883497f6d18fdd1517b177d" event_simpleName=SuspiciousDnsRequest earliest=-24h latest=now | stats values(ComputerName)

aid="a9e3b67c7883497f6d18fdd1517b177d" event_simpleName=SuspiciousDnsRequest earliest=-24h latest=now | stats values(ComputerName)

However, in the Events Search, this should be written as:

This is particularly important when your search includes regex syntax.

USE SMART MODE

FILTER OUT BENIGN DATA

aid=my-aid event_simpleName=ASEP* | table timestamp ComputerName RegObjectName | sort - by timestamp

aid=my-aid event_simpleName=ASEP* RegObjectName!="Value" | table timestamp ComputerName RegObjectName | sort - by timestamp

USE THE BUILT-IN WORKFLOWS

(event_simpleName=ProcessRollup* OR event_simpleName=ImageHash) FileName=WinWord.exe | dedup ImageFileName ComputerName

This query gives us the following results.

Hunting Suspicious Processes

Show me any instances of common reconnaissance tools on a host

aid=my-aid event_simpleName=ProcessRollup2 (FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe OR FileName=quser.exe

Show me any BITS transfers (can be used to transfer malicious binaries)

event_simpleName=ProcessRollup2 FileName=bitsadmin.exe (CommandLine=*/Transfer* OR CommandLine=*/Addfile*) | dedup CommandLine |

Show me any powershell.exe downloads

event_simpleName=ProcessRollup2 FileName=powershell.exe (CommandLine=*Invoke-WebRequest* OR CommandLine=*Net.WebClient* OR

Show me any encoded PowerShell commands

event_simpleName=ProcessRollup2 FileName=powershell.exe (CommandLine=*-enc* OR CommandLine=*encoded*) | table ComputerName UserName

Show me a list of processes that executed from the Recycle Bin

aid=my-aid ImageFileName=*$Recycle.Bin* event_simpleName=ProcessRollup2 | stats values(name) values(MD5HashData)

Show me a list of processes executing from User Profile file paths

aid=my-aid (event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="*\\AppData\\*" OR ImageFi

Show me a list of processes executing from browser file paths

aid=my-aid (event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="*\\AppData\\Local\\Micros

Show me the responsible process for starting a service

event_simpleName=ProcessRollup2 [search event_simpleName=ServiceStarted | rename RpcContextProcessId_decimal as

Show me binaries running as a service that do not originate from “System32”

event_simpleName=ServiceStarted ImageFileName!="*\\System32\\*" | table aid ServiceDisplayName ImageFileName CommandLine

Show me an expected service running from an unexpected location

event_simpleName=ServiceStarted ImageFileName="*\\svchost.exe" ImageFileName!="*\\System32\\*" | table aid ServiceDisplayName

Show me a specific service name

event_simpleName=ServiceStarted ServiceDisplayName=my-service | table aid ServiceDisplayName ImageFileName CommandLine

Show me all CreateService events

event_simpleName=CreateService | table RemoteAddressIP4 ClientComputerName ServiceDisplayName ServiceImagePath

Show me non-System32 binaries running as a hosted service

event_simpleName=HostedServiceStarted ImageFileName!="*\\System32\\*" | table aid ServiceDisplayName ImageFileName CommandLine

Show me a list of services that were stopped and on which hosts

event_simpleName=*ProcessRollup2 [search event_simpleName=ServiceStopped | fields cid aid TargetProcessId_decimal] | table aid

Show me when a specific hosted service has stopped

event_simpleName=HostedServiceStopped ServiceDisplayName=my-service | table aid ServiceDisplayName

Hunting Phishing Attacks & Malicious Attachments

aid=my-aid event_simpleName=ProcessRollup2 earliest=-60m latest=now CommandLine=*content.outlook* FileName=winword.exe OR

Show me a list of links opened from Outlook in the last hour

aid=my-aid event_simpleName=ProcessRollup2 earliest=-60m latest=now FileName=outlook.exe | dedup aid TargetProcessId_decimal |

Hunting Configuration and Compliance Vulnerabilities

event_simpleName="ProcessRollup2" (FileName=w3wp.exe OR FileName=sqlservr.exe OR FileName=httpd.exe OR FileName=nginx.exe)

Show me user accounts added to Administrator groups (local or domain)

event_simpleName=UserAccountAddedToGroup DomainSid="S-1-5-21-*" | stats dc(ComputerName) AS "Host Count", values(ComputerName) AS

Show me user accounts created with logon

event_simpleName="UserIdentity" [search event_simpleName=UserAccountCreated | fields cid UserName]

event_simpleName=*ProcessRolllup2 [search event_simpleName="UserAccountCreated" | rename RpcClientProcessId as

aid=my-aid ImageFileName=$Recycle.Bin event_simpleName=ProcessRollup2 | stats values(name) values(MD5HashData)

aid="a9e3b67c7883497f6d18fdd1517b177d" ImageFileName=$Recycle.Bin event_simpleName=ProcessRollup2 | stats values(name)

event_simpleName=ProcessRollup2 FileName=bitsadmin.exe (CommandLine=/Transfer OR CommandLine=/Addfile) | dedup CommandLine |

event_simpleName=ProcessRollup2 FileName=powershell.exe (CommandLine=Invoke-WebRequest OR CommandLine=Net.WebClient OR

event_simpleName=ProcessRollup2 FileName=powershell.exe (CommandLine=-enc OR CommandLine=encoded) | table ComputerName UserName

aid=my-aid ImageFileName=$Recycle.Bin event_simpleName=ProcessRollup2 | stats values(name) values(MD5HashData)

aid=my-aid (event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="\\AppData\\" OR ImageFi

event_simpleName=ServiceStarted ImageFileName!="\\System32\\" | table aid ServiceDisplayName ImageFileName CommandLine

event_simpleName=ServiceStarted ImageFileName="\\svchost.exe" ImageFileName!="\\System32\\*" | table aid ServiceDisplayName

event_simpleName=HostedServiceStarted ImageFileName!="\\System32\\" | table aid ServiceDisplayName ImageFileName CommandLine

aid=my-aid event_simpleName=ProcessRollup2 earliest=-60m latest=now CommandLine=content.outlook FileName=winword.exe OR

event_simpleName=FirewallSetRule | rex field=FirewallRule "App=(?<App>(.?))\|" | rex field=FirewallRule "Active=(?<Active>(.?))\|"

aid=my-aid event_simpleName=DnsRequest DomainName!=google.com | regex DomainName=".\..*" | stats values(ComputerName) count by