Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CROWDSTRIKE CONFIDENTIAL
Hunting and Investigation
Contents:
Introduction
Before You Begin
System Dependencies
Browser Dependencies
Hunting With Falcon
Overview
Best Practices
Hunting Queries
Hunting Suspicious Processes
Hunting Phishing Attacks & Malicious Attachments
Hunting Configuration and Compliance Vulnerabilities
Hunting Firewall Anomalies & Vulnerabilities
Hunting Suspicious Network Connections
Hunting Anomalous Behavior
Hunting Anomalies Related to Scheduled Tasks
Hunting Suspicious Registry Changes
Hunting Java Malware, Trojans, & Exploits
Walkthroughs
Hunting Walkthrough: Domain IOC
Hunting Walkthrough: IP IOC
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 1/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 2/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
Introduction
The Hunting Guide for Windows teaches you how to hunt for adversaries, suspicious activities, suspicious processes, and
vulnerabilities on the Windows platform using Falcon.
Falcon contains a suite of powerful search tools that allow you to analyze, explore, and hunt for suspicious or malicious activity in
your environment. These tools include the pre-made search dashboards in the various Falcon apps as well as the ability to run
custom queries on the Events Search page in the Investigate App. This guide focuses mainly on using custom queries to hunt, but
will also direct you to use Falcon's pre-made dashboards when it makes most sense.
If at any time you have questions or encounter technical issues not covered in this guide or in the Troubleshooting section,
contact Support.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 3/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
Before You Begin
System Dependencies
This guide contains information about how to hunt using Falcon and is tailored specifically towards users running the Falcon
sensor on Windows devices. However, a lot of the ideas and concepts also apply to users running the Falcon sensor on Mac or
Linux. Depending on the sensor platform, however, the names and descriptions of certain events as well as custom query syntax
will vary. We recommend that you read and refer to the Events Data Dictionary to learn more about specific events and their
variations across platforms. The Events Data Dictionary also contains additional custom queries not found in this document that
could be useful when hunting.
Browser Dependencies
CrowdStrike currently supports the Google Chrome browser for use with the Falcon web interface. Other browsers may work, but
we do not support other browsers at this time.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 4/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
Hunting With Falcon
Overview
Hunting with Falcon is straightforward. By using either the pre-made dashboards and reports or by using custom queries on the
Events Search page, you can search for specific events and data points across one, several, or all hosts running the Falcon sensor
in your environment. The data returned in an Events Search query is from the last 30 days of sensor activity, though most of the
queries you run will need to be narrowed down to a smaller timeframe so that results are usable. You then use your search results
to understand and evaluate security events happening in your environment.
Before you start hunting with Falcon, however, there are a few concepts and best practices that you should familiarize yourself
with, beginning with the queries themselves.
Best Practices
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 5/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
All queries in Falcon are powered by the Splunk query language. This document focuses less on teaching you Splunk syntax and
more on the various behaviors and activities you will be hunting. To learn more about Splunk and Splunk syntax, we recommend
that you read the Official Splunk Documentation and the Splunk Enterprise Quick Reference Guide.
Even if you aren’t a Splunk expert, this guide makes it easy to understand what each query does and how you can modify queries
to get more value out of them. Let’s start with a simple example.
Show me a list of processes that executed from the Recycle Bin for a specific AID
Most of the queries in this document can simply be copied and pasted into Events Search with minimal modification required by
the user. However, when you see capitalized values, you will need to provide a value before you can run the query.
In the example above, you should provide an "agent ID" (or "AID" for short), which is a unique ID given to each Falcon sensor.
Adding the AID to the query limits the scope of your query to the sensor with that AID and greatly reduces the time and
computational cost of your search.
Using the AID in this fashion is just one way to drill down to a specific host. You can also use host name ( ComputerName="foo" ) in the
same fashion.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 6/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
This is just one example, but shows how specificity matters greatly when writing Splunk queries. The more specific you can be
when writing a query, the fewer results you will have to sort through and the faster the query will run.
Let’s see how a simple query can be made more useful for you with a few simple modifications. Below is an example query that
returns a large amount of data and takes a long time to run. This query returns a list of SuspiciousDnsRequest events, the domains
to which the requests were made, the host names from which the requests were made, and the number of times the requests were
made:
The amount of results returned by this query and the time that it takes to run make this query difficult to work with. We can fix
both of this by making our query more specific.
Let’s start reducing the number of results by limiting the query to a single AID, which would return a list of SuspiciousDnsRequest
events that occurred on the host running the Falcon sensor with that particular AID:
Next, we can further reduce our results list by specifying a timeframe. Instead of searching across 30 days of data, let’s search for
instances of this event in the last 24 hours using the "earliest" and "latest" keywords:
We also know that often times requests made only once or twice instead of dozens of times are often more likely to be suspicious.
We can limit our results to a specific number of suspicious requests. In this example, we’ll say that we only want to see domains
to which fewer than three suspicious requests were made. We can do this by adding the event count condition:
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 7/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
aid="a9e3b67c7883497f6d18fdd1517b177d event_simpleName=SuspiciousDnsRequest earliest=-24h latest=now | stats values(ComputerName)
count by DomainName | where count <3
Alternatively, we could reduce the number of results further by returning only the top 20 or bottom 20 results based on the
number of requests made:
Bottom 20 results:
It should also be noted that the Events Search and Splunk handle special character escaping differently. For example, if you
wanted to enter the path \system32\config\, you would traditionally write it and escape the backslashes like so:
"\\system32\\config\\"
"\\\\system32\\\\config\\\\"
By adding a timeframe, applying limits and filters, and escaping our searches properly, we can easily reduce the results list of our
Splunk query to a useful, manageable amount of information. This decreases the time and complexity of hunting adversaries in
your environment.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 8/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
In Events Search, there are different search types available to you. When hunting, we recommend use Smart Mode to search, as
this is the fastest search mode.
CHANGE VIEWS
You can view the results of any event search query with one click. You can choose Events List, Table, or Results Chart. For the
purposes of hunting, we recommend using the Raw view to view the raw data. This is also the only way you will be able to access
workflows (described later).
Hunting with Falcon is all about obtaining meaningful data. Thus, for every query you run, you will most likely want to filter out
data that you know is unnecessary. Unnecessary data could be data that is irrelevant to what you are searching for or it could
simply be data that you know is benign.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 9/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
For example, let’s say you are hunting suspicious registry changes.
We can make this more meaningful by filtering out a registry object that we know to be benign using the "does not equal" syntax
(" != "). This reduces the amount of results we get and speeds up the time it takes to run the query.
The Events Search page has built-in workflows that enable you to quickly and easily run pre-made queries on your search results
with the click of a button. This allows you to run powerful queries without writing a single line of Splunk syntax.
To see how this works, we’ll run the following example query. This query returns a list of all versions of Microsoft Word that are
running on my hosts (removing duplicate entries by ImageFileName and ComputerName ).
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 10/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
In the screenshot above, we see the raw JSON from a ProcessRollup2 event in our search results.
Let’s say we now want to see the event associated with the process that spawned this event (the "parent process"). We could
write a brand new query. Or, we could use the built-in workflows. Simply click Event Actions below the raw JSON to access the
workflow menu for the event:
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 11/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Note the number of workflows that are built in. This list will vary depending on the event.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 12/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
Hunting Queries
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 13/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
To see a list of executables running from the Recycle Bin, Falcon provides you a premade report on the Events Search page under
Reports > Hunting Reports > Executables Running from Recycle Bin. You can also run the following query.
Processes generally shouldn’t be executing from user spaces. These paths cover spaces that are considered to be User Paths.
Similar to the previous query, processes typically shouldn’t be running from these locations:
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 14/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
If hunting for anomalous activity, look for services that do not originate from “Windows\System32” location. Remember to escape
the directory backslashes (“\”) with another backslash.
This is similar to the previous query but more specific - this will look for “svchost.exe” running from unexpected locations, e.g.
“C:\Windows\Temp”. You can utilize any binary name or service of interest to find anomalous behavior. “ServiceDisplayName” can
be substituted for “ImageFileName” if you want to hunt on service names instead.
Certain malware and adversary tools may run as a service with specific names - if you wanted to hunt for any of these services
names, this query should allow for quick triage.
In the table fields, the "ContextTimeStamp" will provide the system time of event creation which will be useful when correlating
with the time frame of interest. The “RemoteAddressIP4" will provide the IP address of the remote machine that initiated the
request (origin) and "ClientComputerName" will provide the NetBios name of the remote machine.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 15/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
The “CreateService” event has been updated in sensor version 2.27 to include the remote IP address (RemoteAddressIP4) as well
as the hostname (ClientComputerName) of the machine that initiated the request. If the data is available, this query will show you
the origin of the remote procedure call which could be useful in identifying compromised assets during an intrusion.
If hunting for anomalous activity, look for services that do not originate from “Windows\System32” location. Remember to escape
the directory backslashes (“\”) with another backslash.
Utilize this query to alert on when key services are stopped, such as Windows Firewall (“Base Filtering Engine”) or other security
related services.
Phishing is an attempt to acquire information such as user names, passwords, and credit card details by masquerading as a
trustworthy entity in an electronic communication.
Show me a list of attachments sent from Outlook in the past hour that have a file name of "winword.exe", "excel.exe", or
"POWERPNT.exe"
To further drill down on this activity, choose a workflow from the drop-down menu associated with the ProcessRollup2 event.
Show me a list of web servers or database processes running under a Local System account
A Local System account is an account that the operating system uses to run a lot of core functionality. As such, a Local System
account has far more privileges than a typical user account. If a security adversary compromises a host running as Local System,
they could leverage this configuration as an exploit and would not even need to obtain credentials. It’s important to ensure that
every host running as Local System should in fact be running with this level of privilege.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 17/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
UserName="LOCAL SYSTEM" | dedup aid | table ComputerName UserName ImageFileName CommandLine
During an intrusion, it is likely that an adversary will leverage existing user accounts after harvesting their credentials and if
these particular accounts need elevated permissions, they will be added to the administrator’s group. This query could also be
useful for insider threat activity.
It may also be useful to audit account creations when hunting for anomalous activity. For example, if you observe administrator
accounts created at 0300 local time, that may be a red flag depending on company change control policies.
Show me the responsible process for the UserAccountCreated event Finally, it may be useful to audit account deletions when
hunting for anomalous activity. Like account creations, if the account deletions are observed outside of normal change control
times or if the account was recently created, it could be a red flag and an indication of the adversary covering their tracks.
Show me all versions of a certain piece of software that are running in my environment (e.g. Adobe Flash, Microsoft Word)
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 18/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Older versions of common software can contain numerous vulnerabilities. You can search for hosts that are running older
versions of software and mitigate the risk of having one of those vulnerabilities exploited. The following query will return the full
file path of a specified piece of software which will indicate the software version:
It may be useful to track firewall rules being added or modified in your environment, especially outside of normal change control
hours. The following queries will show you which firewall rules were created and the process responsible. If you’re conducting an
investigation on an endpoint where exfiltration of data is suspected, looking for recently added firewall rules may help triage on
the adversary’s command and control infrastructure.
Show me all FirewallSetRule events
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 19/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Rules set (with FirewallRule key/value extraction). The following query lists all rules created along with extracting out the key/value
pairs from the FirewallRule attribute.
It may also be useful to identify critical firewall rules in your environment and monitor them for deletion (especially outside of
normal change control hours). These queries will show you which firewall rule was deleted and the process responsible.
Show me all FirewallDeleteRule events
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 20/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
The FirewallChangeOption event indicates that a firewall configuration option has been changed, such as enabling or disabling the
firewall. The data will indicate the initial process (command-line tool, custom utility, or GUI application) or remote
address/hostname that resulted in this action. It may be useful to see how often this occurs in your environment and by what
process - baselining will allow for quicker triage on the edge cases where the activity is not expected.
event_simpleName=FirewallChangeOption |
eval FirewallProfileDescription=case(FirewallProfile=0, "INVALID", FirewallProfile=1, "DOMAIN", FirewallProfile=2, "STANDARD",
FirewallProfile=3, "PUBLIC") |
table aid FirewallOption FirewallProfileDescription FirewallOptionNumericValue FirewallOptionStringValue
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 21/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
After compromising a host, adversaries will often use FTP or another tool to transfer files and other data to an external host. You
can use Falcon to hunt for those connections.
Show me a list of unusual (fewer than 10%) connections to remote ports, excluding a known good port
Show me all networks connections to well-known remote ports, excluding ephemeral ports
Domain names that are commonly looked up will receive many requests. You can hunt for low-volume domain name requests,
since this might indicate anomalous behavior and, potentially, suspicious requests. Below is the base query and an example that
shows how you should apply filtering to it.
aid=my-aid event_simpleName=DnsRequest | regex DomainName=".*\..*" | stats values(ComputerName) count by DomainName | where count <4
| sort – count
For example, adding the following would remove all DomainName requests to the top level domain "google.com":
Typically, programs like Notepad and other operating system utilities will not be making network connections. Any such behavior
could be suspicious. Given a process name, you can run this query to determine if a process is making network connections or
DNS requests:
Show all Remote Desktop Protocol (RDP) connections observed on a specific host
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 23/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Trusted processes are more likely to run dozens of times on a host. By searching for processes that ran only a few times, you can
hunt for anomalous activity that may help spot malicious processes. Adversaries understand the need to avoid using highly
visible processes, if they are to stay under the radar.
It may be useful to audit account deletions when hunting for anomalous activity. Like account creations, if the account deletions
are observed outside of normal change control times or if the account was recently created, it could be a red flag and an
indication of the adversary covering their tracks.
When an adversary delivers a malicious file to a host, they’ll likely change or vary the file name so that it’s harder for analysts to
find. This is very common tactic used for fishing campaigns. Adversaries will use a different name for each file, but they will still
follow some kind of a logical pattern, as the files are likely to be created programmatically. Thus, the file will not have the same
name on each host, but we can nevertheless use an expression to hunt for them.
It should be noted that the event search handles special character escaping differently. For example, if you wanted to enter the
path \system32\config\, you would traditionally write it and escape the backslashes like so:
"\\system32\\config\\"
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 24/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
"\\\\system32\\\\config\\\\"
CommandLine Query
FileName Query
The following two queries provide examples on how to work with the fields belonging directly to the event or extracting content
from a scheduled task's XML content. These queries may be useful in hunting for anomalies within your network. Adversaries will
utilize “schtasks.exe” and “at.exe” to schedule the launch of their tools, malware (implants) and scripts on remote machines,
which allows them to spread throughout your network and maintain persistence.
event_simpleName=ScheduledTaskRegistered |
stats values(TaskName) as TaskName values(TaskExecCommand) as TaskExecCommand values(TaskAuthor) as TaskAuthor
values(ClientComputerName) as ClientComputerName values(RemoteAddressIP4) as RemoteAddressIP4 values(RemoteAddressIP6) as
RemoteAddressIP6 by aid
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 25/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
event_simpleName=ScheduledTaskRegistered ClientComputerName!="" |
stats values(TaskName) as TaskName values(TaskExecCommand) as TaskExecCommand values(TaskAuthor) as TaskAuthor
values(ClientComputerName) as ClientComputerName values(RemoteAddressIP4) as RemoteAddressIP4 values(RemoteAddressIP6) as
RemoteAddressIP6 by aid
It may also be worthwhile to monitor scheduled tasks that are deleted outside of normal change windows based on your
company's policies.
event_simpleName=ScheduledTaskDeleted |
stats values(TaskName) as TaskName values(ClientComputerName) as ClientComputerName values(RemoteAddressIP4) as RemoteAddressIP4
values(RemoteAddressIP6) as RemoteAddressIP6 by aid
event_simpleName=ScheduledTaskDeleted ClientComputerName!="" |
stats values(TaskName) as TaskName values(ClientComputerName) as ClientComputerName values(RemoteAddressIP4) as RemoteAddressIP4
values(RemoteAddressIP6) as RemoteAddressIP6 by aid
At log on
At startup
At a specific time
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 26/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
On a schedule
On an event
On idle
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 27/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
The logon type sets the logon method to run the tasks. More information is available under LogonTypes (MSDN)
The RunLevel specifies the privilege level required to run the tasks. More information is available under RunLevel (MSDN)
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 28/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
The Windows registry is a hierarchical database that stores the values of variables in Windows and the applications and services
that run on Windows. The operating system and other programs also use the registry to store data about users and about the
current configuration of the system and its components. Most end users never need to view or edit the registry. The
administrative tools and Windows interface enable users to safely change their preferences and the services and features of the
operating system. However, in rare instances, the only way to change an operating system variable is by editing the registry.
Thus, because the registry contains sensitive, protected information about users and the host’s configuration, it is a common
target of security adversaries.
We recommend using filters when running this query, which are explained in the Best Practices section at the beginning of this
document.
This query will allow you to hunt on persistence set via Run keys from a remote machine. This activity may be an indicator of
attack as the adversary would likely be attempting to establish and maintain control on the target host. The “RemoteAddressIP4”
and “ClientComputerName” if present will yield where the origin of the activity.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 29/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 30/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
This NewExecutableWritten event is generated when an executable file extension is written, whether or not it is truly an executable
file type. Any file that ends with a known executable file extension (e.g. .exe, .bat, .scr) will generate this event.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 31/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
Walkthroughs
The walkthroughs below show how Falcon allows you to quickly deep dive on different types of IOCs.
Let's walk through an example of how the Falcon web interface helps you hunt when starting with a domain type IOC.
. Sign in to the Falcon web interface and open the Bulk Domain Search page.
. Enter the domain that you are searching for and specify a time range (Note: Falcon lets you use wildcards in the search
field).
In the search results, you will see a domain lookup summary that shows all DNS requests made to that domain. The results
also include the host name that made each request, the date on which the request was first made, a quick link to do a
WHOIS lookup for the domain, and other useful information. You will also see any processes that looked up that domain, if
present, and a list of suspicious domain lookups.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 32/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
First, if you see a suspicious DNS request on a host that you know is malicious, you can click Contain to go to the Host
Details page to quickly contain the host.
Alternatively, you can click View to pivot to the Process Tree to see which process made the request, and if you believe
that the host has been compromised, you can contain the host from that page as well.
Finally, you can click one of the domain names in the domain lookup summary list. This opens the Event Search page with
a pre-populated DnsRequest event search for the selected domain name in raw JSON format. You can view the events in a
timeline at the top or use the filters on the left side of the page to quickly filter down to specific values (e.g. a specific
time or sensor AID). For more information on CrowdStrike events, see the Events Data Dictionary on the Docs page in the
UI.
. You can then use the built-in workflows to quickly pivot to other searches during your investigation.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 33/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Note that from this screen, you can also choose "View Process Explorer for the responsible processes" to quickly pivot back
the Process Tree, which allows you to triage and investigate using a visual representation of the event, making it easier to
understand the relationship between processes involved in the DNS request.
Let's walk through an example of how the Falcon web interface helps you hunt when starting with an IP IOC.
. Enter the IP that you are searching for and specify a time range. In the search results, you will see key details such as the
host name of any host that matches the IP, first/last seen dates, agent version (the version of the sensor that the host is
running), organizational unit (OU) and other geographical information.
. Next, click one of the host names in the list. This opens the Host Search page with a pre-populated search for that host. In
the results, you will see a wide range of data including basic host information, detect history for the host, a list of
unresolved detects for the host, and a list of network connection and network listening events.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 34/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
You can even view a world map of external network connections for that host.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 35/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Let's walk through an example of how the Falcon web interface helps you hunt when starting with a hash IOC.
. Enter the MD5 or SHA256 that you are searching for and specify a time range. You can search by file name, command line
string, host name, or user name.
In the search results, you will see the Process Execution History section for the hash (historical summary of execution
details such as the total number of executions) as well as a Process Execution section, which breaks out each individual
instance that the hash was executed, the time of execution, and other key process details.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 36/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Furthermore, under Process History, click either the MD5 or SHA256 hash to open a pre-populated Virus Total search with
the selected hash.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 37/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
. As is often the case, let's say our results list is simply too long to sort through, and we need a way to narrow down our hash
search to a specific host or hosts. Falcon makes it easy to search within your results, meaning you can quickly narrow down
results even further by entering, for example, a specific host name (shown below).
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 38/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 39/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
Troubleshooting
Problem Solution
Seeing no results can mean many things. To begin with, try removing individual parts of the query until
My query runs you start seeing results. From there, add additional syntax piece by piece until you stop receiving results.
successfully but This will help you isolate which part of your query’s syntax is causing you to receive no results. See
returns no results. the Events Data Dictionary for sample queries for your particular event or other events which may help
you diagnose the issue.
To begin with, try removing individual parts of the query until you start seeing results. This will help you
My query fails to isolate which part of your query’s syntax is causing the issue. See the Events Data Dictionary for
run. additional sample queries for your particular event or other events which may help you diagnose the
issue.
Ensure that you’d included a timeframe, platform, and, if possible, a host name to your query. Try
My query takes too
shortening your timeframe, if possible, and work your way up to a larger timeframe. Joins can be
long.
particularly time-intensive.
Something specific
Try adding the specific host name to the query. Then, try removing individual parts of the query until you
I’m searching for is
start seeing results. This will help you isolate which part of your query’s syntax is causing you to receive
failing to show up in
no results.
the search results.
Something specific Identify which piece of data should not be there and revisit the portion of the syntax that you feel should
is erroneously exclude that from your search results. This will help you isolate which part of your query’s syntax is
showing up in the causing you to receive results where there should be none. There may also be an issue with your config.
results. Contact Support if the issue continues.
Problem Solution
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 40/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Seeing no results can mean many things. To begin with, try removing individual parts of the query until
My query runs you start seeing results. From there, add additional syntax piece by piece until you stop receiving results.
successfully but This will help you isolate which part of your query’s syntax is causing you to receive no results. See
returns no results. the Events Data Dictionary for sample queries for your particular event or other events which may help
you diagnose the issue.
To begin with, try removing individual parts of the query until you start seeing results. This will help you
My query fails to isolate which part of your query’s syntax is causing the issue. See the Events Data Dictionary for
run. additional sample queries for your particular event or other events which may help you diagnose the
issue.
Ensure that you’d included a timeframe, platform, and, if possible, a host name to your query. Try
My query takes too
shortening your timeframe, if possible, and work your way up to a larger timeframe. Joins can be
long.
particularly time-intensive.
Something specific
Try adding the specific host name to the query. Then, try removing individual parts of the query until you
I’m searching for is
start seeing results. This will help you isolate which part of your query’s syntax is causing you to receive
failing to show up in
no results.
the search results.
Something specific Identify which piece of data should not be there and revisit the portion of the syntax that you feel should
is erroneously exclude that from your search results. This will help you isolate which part of your query’s syntax is
showing up in the causing you to receive results where there should be none. There may also be an issue with your config.
results. Contact Support if the issue continues.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 41/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
Appendix A: Investigate App Pages
The Investigate App lets you search for specific hashes, file names, command line arguments, IP addresses, and specific
computers and users. The Investigate App contains these pages for investigating and hunting for events:
Host Search
Hash Search
User Search
Source IP Search
Event Search
Containers
Mobile Hosts
These searches help you quickly collect relevant information during incident triage and hunting.
Time range: When you set a time range for your Investigate searches, we recommend using a time range of 3 days or
shorter. Longer time ranges can take several minutes to display.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 42/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
The Spectre & Meltdown dashboard helps you assess how well your Windows hosts are protected from two security
vulnerabilities published in January 2018:
This dashboard only displays information about Windows hosts running sensor version 3.9.6009 or later.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 43/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
MITIGATING SPECTRE
Mitigating Spectre involves three components and applies to both software and hardware:
Update your processor's firmware/BIOS. The specific steps depend on the hardware used in your hosts, but Microsoft
provides an index of major hardware vendors. (This component applies to hardware.)
Unprotected – with
Set the registry key specified by
Microcode but Disabled Yes No Yes
Microsoft.
by Registry
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 44/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
MITIGATING MELTDOWN
On certain hardware, using this software patch can slow your host's processing performance. See Microsoft's blog
post about the performance impact of the mitigation.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 45/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Host Search
Use Host Search to search for events across all Windows and Mac hosts in your environment. Due to differences in these
platforms, some items may not be available for both Windows and Mac.
Host info
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 46/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
List of external network connections (by country, including the port and the # of connections)
Command History
Process Executions
DNS Requests
Network Connections
Network Listening
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 47/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Scripts Written
Executable Activities
Hash Search
Use Hash Search to search for events by hash across all Windows and Mac hosts in your environment. Due to differences in these
platforms, some items may not be available for both Windows and Mac.
Process Executions
You can export the data to a PDF by clicking the Export PDF button on the right side of the screen.
User Search
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 48/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Use User Search to search for user activity across all Windows and Mac hosts in your environment. Due to differences in these
platforms, some items may not be available for both Windows and Mac. Results in this report are filtered if:
The user logging on is one of the well-known security identifiers. (see Microsoft's documentation)
Though the results are filtered, the raw events for these logons are still captured in Event Search
Process Executions
Source IP Search
Search for host information by IP. Source IP search allows you to use wildcards (e.g. 192* ).
Search for multiple hashes (MD5/SHA256/SHA1*) and detect/process execution history. Bulk Hash Search allows you to use
wildcards (e.g. c32* ).
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 49/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Search for detect and process execution history involving a domain or list of domains. Bulk Domain Search allows you to use
wildcards (e.g. evildoma* ).
Event Search
The Event Search page is where you can find pre-made reports and pre-made searches that allow you to view data collected from
your endpoints. This page also provides you with a powerful custom search tool that allows you to analyze, explore, and hunt for
suspicious or malicious activity in your environment.
Tip: Read our Events Data Dictionary for specific data on key CrowdStrike events that you find when using the Event
Search page.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 50/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Search: Provides direct access to Falcon endpoint metadata, where events can be queried and processed using Splunk, a
powerful query language. This view can be utilized when the prebuilt Falcon dashboards and reports do not contain the desired
results, or when you want to write a custom query. However, the stock dashboards in the Falcon console will be sufficient most
of the time. For detailed information on CrowdStrike events and how to search for them, see the Events Data Dictionary.
Detection Activity page This feature applies only to Managed Security Service Providers (MSSP) partners and customers
with multiple Customer IDs (CID). This page, available at Investigate App > Event Search > Activity > Detection Activity, allows
users to view all detections associated with all CIDs they have access to. While viewing the Detection Activity page, users
can click on any detection to open Falcon UI Process Explorer in a new browser tab to view the detection without the need to
manually toggle to the correct CID. Users can perform triage actions such as assigning detection, adding comments, contain
host, resolve detection, etc. When finished triaging the detection, users can close the browser tab and return to the
Detection Activity page to continue working on the next detection. Note that some applications on the left navigation menu
such as Dashboards, Users, etc. will not be available on the auto-toggled browser tab.
Falcon DNS: This dashboard is available to users who also subscribe to Falcon DNS services.
Timeline: Provides the ability to generate a "Host Timeline" and a "Process Timeline." This allows you to view all relevant events
for a specific computer or all events associated with any user-specified process execution.
Reports: Offers various canned reports surrounding activities that typically indicate suspicious activity occurring on a system.
Available reports are listed below.
Files Written to Removable Media: Search for file written activities to removable media.
Machine Learning Prevention: View malware that would have been blocked in your environment during the last 30 days based
on different Machine Learning Prevention settings (Cautious, Moderate, or Aggressive).
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 51/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Prevention Policy Audit Trail: View audit trail for all policies.
Hunting Reports: Provides fast access to automated hunting queries in the "Search" view. Hunting report options:
Visibility Reports: Provides fast access to automated queries in the "Search" view. Visibility report options:
Logon Activities
Remote Access Graph: Provides a graphical representation of relationships between users and systems that have been
remotely accessed. This allows you to search for users who are remotely logged on to devices based on logon type. You
can search for either Terminal Server logons (Type 10, e.g., RDP) or Network Server (Type 3) logons.
Unique Hosts Connecting to Countries Map: Provides a map of unique hosts making connections to different countries. You
can search based on destination IPs and ports, and double-click a country to drill down into details surrounding these
connections. Details provided include the timestamp, computer name, process ID, local IP, local port, destination IP, remote
port, aid, and country.
Sensors: Contains a series of reports to help admins manage deployment and coverage of CrowdStrike sensors.
Newly Installed Sensors: Provides a list of sensors that have been recently installed.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 52/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Inactive Sensors: Provides a list of sensors that have not reported in a given timeframe. Note that sensors that have been
inactive for more than 45 days will be deleted.
Sensor Coverage Lookup: Search by host name to see if a sensor has been installed on that host. Accepts a space-delimited
list of hosts so admins can provide multiple hostnames. Limited to 50 hosts.
Sensor Policy Daily Report: Review the groups and policies assigned to a host. Note that this report is only updated once a
day, so information may not always be up to date. If you have not purchased an app like Prevent or Device Control, your
sensors will be assigned to the platform_default policy.
The search capabilities in the Falcon console provide direct access to Falcon endpoint metadata, where each event can be
queried using Splunk, a powerful query language. The search feature can be used when the prebuilt Falcon dashboards/reports
do not contain the desired results, or when you want to write a custom query.
The Events Data Dictionary provides information about CrowdStrike events found when using the Event Search page. We also
recommend that you read the Splunk Enterprise Quick Reference Guide for more information about Splunk and to get started
writing Splunk queries. For an introduction to advanced hunting queries, we recommend that you read the Hunting Guide for
Windows.
Archive files
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 53/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Process injection
AV engine results
Falcon only captures metadata since the time of sensor installation on a host.
The amount of historical data contained in Event Search will vary depending on your data plan.
This kind of historical system metadata is captured via a tool like CrowdStrike's CrowdResponse, triage scripts, or some
other type of enterprise scanning tool that can quickly search for IOCs across multiple systems.
Inbound network connections: As mentioned above, the Event Search functionality only identifies outbound network
connections.
MD5s, SHA1*, SHA256 hashes are calculated only for DLLs & EXEs. This prevents searching for/collecting non-binary hash
data.
. In the search bar, enter the following syntax, which says "search for DNS Request events made on Windows hosts in my
environment."
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 54/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
event_simpleName=DnsRequest event_platform=Win
. Set the timeframe to "Last 15 minutes" which limits the timeframe of your search.
. Set the search to Verbose Mode, and then click the magnifying glass to search.
This will return a JSON response of data for every DnsRequest event on Windows hosts in your environment in the last 15 minutes.
Specifying a platform and a timeframe greatly reduces the time it takes to search. You can also use the Event Sampling
functionality to gather a random sample of events (100, 1,000, etc.).
WORKFLOWS
Event workflows are automated searches that can be used to pivot between related events and searches. Every event has a
workflow. Workflows enable you to quickly and easily run pre-made queries on search results, meaning you can run powerful
queries (written by CrowdStrike's hunting experts) without writing a single line of Splunk syntax. Note that workflows only
appear in Verbose Mode (enabled by default).
To use a workflow, click the Event Actions button at the bottom of the JSON for any raw event:
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 55/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
When selected, a workflow will open in a new tab or window. Workflow searches may not produce results for every event.
Containers
Falcon’s container security shows runtime information about containers in your environment. Use container info to review your
containers, see trends on container usage, and identify containers that use risky configurations.
Investigate > Containers provides dashboards to help you investigate activity on containers running on your Linux hosts.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 56/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
System requirements:
Role requirements: Falcon Administrator, Falcon Security Lead, or any other role that can access Investigate
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 57/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
CONTAINER DASHBOARDS
The Container dashboards at Investigate > Containers help you distinguish activity within a container from activity on a host. Use
this info to track activity on your hosts that run containers.
Dashboards only show information about containers that were started after the Falcon sensor was installed. When you
install a sensor, restart the containers on that host for full visibility.
Prevention policies assigned to a Linux host also apply to containers running on that host. This includes:
Cloud ML detections
Detections and preventions only show information about containers that were started after the Falcon sensor was
installed. When you install a sensor, restart the containers on that host for full visibility.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 58/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
CONTAINER USAGE
See a high-level overview of the containers running on your Linux hosts, including the number of active containers, the number of
your hosts running containers, and more. Use the Hosts Running Containers Over Time and Total Containers Running Over Time
graphs to get context about whether the current container counts are anomalous for your environment.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 59/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
CONTAINER CONFIGURATIONS
Identify containers that are running with risky configurations. Use the Container Configurations dashboard to identify containers
that have unusual launch modes (privileged permissions, interactive, or out-of-memory kill disabled modes), mount points, and
more.
These configurations aren’t always dangerous, and your organization may choose to use them for good reasons. Use these
dashboards to ensure that your containers are configured as expected -- and that containers aren’t using risky configurations
unnecessarily.
Filter containers:
To filter the container list for specific elements of risky configurations, select Yes in the relevant field’s dropdown menu
Enter a full or partial (with the * wildcard) container name to find a specific container
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 60/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
CONTAINER BY HOST
View all the containers in your environment sorted by their host. To find containers related to a specific host, enter the host’s
agent ID.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 61/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
CONTAINER BY IMAGE
View all the containers in your environment sorted by their image. Enter a container image name to get details on the active
containers based on that image.
To find images related to a specific host, enter the host’s agent ID.
To find all containers based on an image, enter a full or partial (with the * wildcard) image name.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 62/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Mobile Hosts
Mobile Hosts is where to search for and view detections and events across all mobile hosts in your environment.
Requirements:
Sensor support: CrowdStrike Falcon app for iOS and Android. Mobile detections are supported on 2020 versions and later.
Roles: Users with these roles can see mobile detections: Falcon Administrator, Falcon Security Lead, Falcon Investigator, Falcon
Analyst, Falcon Analyst - Read Only, Event Viewer
SEARCH
Provides direct access to mobile host metadata, where you can query and process detections and events using Splunk, a powerful
query language. This view can be used when the prebuilt Falcon dashboards and reports do not contain the desired results, or
when you want to write a custom query. However, the stock dashboards in the Falcon console will be sufficient most of the time.
For detailed information on CrowdStrike’s mobile events and how to search for them, see the Events Data Dictionary.
Provides visualizations of basic statistics about your mobile hosts, including platform, OS version, and device models.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 63/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
Mobile Detections is your dashboard to monitor the kind of detections activity being reported from your mobile hosts.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 64/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
NOTE: Use Custom Alerts to configure email notifications about detections on mobile hosts using the Mobile Host Detections
template.
Quickly understand the severity of the detections on your mobile hosts and what tactics and techniques are involved using the
graphs. Hover over to see more information.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 65/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
In the Detection Details table, see key details and use column sorting to zone in on common aspects among detections such as
detection severity or device model.
Click on a detection’s informational cells to go to its Mobile Hosts Report. The informational cells are:
Timestamp
User
Severity
Detection
Model
MITRE ID
Details
Click on a detection’s MITRE Tactic and MITRE Technique cells to open documentation to learn more about that specific tactic
or technique.
Provides the ability to generate a Host Information timeline and a process timeline. This allows you to view all relevant events for
a specific mobile host or all events associated with a specific process execution.
See information about detections on specific mobile hosts in Investigate > Mobile Hosts > Activity > Mobile Detections.
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 66/67
5/6/2020 Hunting and Investigation | Documentation | Support | Falcon
https://falcon.crowdstrike.com/support/documentation/12/hunting-and-investigation#hunting-suspicious-processes 67/67