# How to Hunt for Threat Activity with Falcon Endpoint Protection

### Introduction to Threat Hunting with Falcon Endpoint Protection

CrowdStrike Falcon offers a powerful set of features that can be used to hunt for threat activity in your environment. The Falcon endpoint sensor is constantly monitoring and recording endpoint activity and streaming it to the CrowdStrike Threat Graph in the cloud. The data gathered by Falcon is metadata, including things like process execution, network connections, file system activity, user information, service details, script activity and admin tool usage. Storing this data in the Threat Graph ensures that the data is always available (even while endpoints are offline) and also ensures that it can be searched in real time and retrospectively – even the largest environments can get results in seconds.

CrowdStrike Falcon provides two applications for threat hunting. The first is the Investigate App. This is designed to take the complexity out of threat hunting. The second is the Events App. This is meant for users who want full access to the data in the Threat Graph which allows for more advanced, proactive threat hunting. This document will cover both apps in detail.

### Investigate App: Hunting Scenarios

The Investigate App allows administrators to search for indicators of compromise in their environment. This aids in understanding their exposure to known threats, while also providing the ability to drill-down and pivot to explore the context around malicious and suspicious activity. All searches are conducted on the CrowdStrike Threat Graph. This ensures that you get immediate results no matter how large your organization, and it also ensures that you get results from both online and offline systems.

#### Getting Started

Navigate to the Investigate App and click on Bulk Domain Search Tab

#### Scenario 1 – Domain Search

Enter a domain. In this example, we insert multiple domains. Note that they are separated by a space and that only the domain name is required (there is no need to enter http:// or https:// or www.). Click submit to begin the search.

The search will now query all of your data in the Threat Graph. If any system in your environment has ever connected to one of these domains, you will see a result. If the search result area is blank, it means that none of your systems have tried to connect to that domain. In the image below, we expand the Bulk Domain Search query from step 4 to include google.com (this is a quick way to verify that the feature is working). In this example, we see connections to google.com but not to any of the malicious domains that we included in the search.

#### Scenario 2: Hash Search

Click on the Hash tab to move to the hash search screen

To search for a file in your environment, you will need to specify the filename, MD5 hash or SHA256 hash. In this example, we use a SHA256 hash from an indicator of compromise (IOC) and also set the search time range to 30 days. Click submit to execute the search.

If the file has been encountered in your environment, you will see results similar to the image below. Note that almost all elements of the search results are links, allowing you to further explore and understand the file’s impact.

#### Scenario 3: Pivot to Host Search

Directly from the “Hash Search” page, click on the hostname (the second column in the Hosts that loaded specific hash section). This is a host where the hash has run. Clicking on the hostname will bring you to a screen that shows all activity on that system, including information not related to suspicious activity. Falcon has detected and prevented a number of malicious activities on the system, including attempted malware execution and also suspicious activity that looks like a lateral movement attempt. By getting a hit on the original file hash search, it looks like we have uncovered additional suspicious behavior.

### Events Search

#### Scenario 4: PowerShell Activity

The Events App is for power users who want to access all of their data in the CrowdStrike Threat Graph. It leverages the Splunk search interface to handle complex queries that are often required for more advanced threat hunting. In this section, we will review three advanced hunting queries from our Threat Hunting Guide. This document is available to all CrowdStrike customers, partners and individuals who are testing the product. To request the full document, please contact us.

Navigate to the Events App

Click into search box, then set search time frame to Last 24 Hours. You can begin with simple, one-word searches like specifying a hostname, username or file hash. Click the search icon (magnifying glass) to begin the search. You will get results similar to the image below.

Clear the contents of the search bar and paste the following syntax. Then hit the search icon to execute the search.

event_simpleName=ProcessRollup2 FileName=powershell.exe (CommandLine=*-enc* OR CommandLine=*encoded*) | table ComputerName UserName FileName CommandLine

This search looks for encoded PowerShell commands that have executed in your environment. This activity is interesting to threat hunters because legitimate administrators typically do not encode their PowerShell commands. However, this is very common activity for attackers. The image below indicates what it looks like when encoded PowerShell commands have been executed in your environment.

Results are consolidated by tabs.  There are four tabs; Events, Patterns, Statistics and Visualization.  Explore each tab to see the different results available.

#### Scenario 5: Inappropriate Local System Account Usage

Clear the contents of the search bar and paste the following syntax. Then hit the search icon to execute the search.

event_simpleName="ProcessRollup2" (FileName=w3wp.exe OR FileName=sqlservr.exe OR FileName=httpd.exe OR FileName=nginx.exe) UserName="LOCAL SYSTEM" | dedup aid | table ComputerName UserName ImageFileName CommandLine

This search is designed to look for inappropriate use of the Local System account. Web servers and database servers should not be configured to use this account, instead they should have dedicated accounts with restricted privileges. If those servers are seen using this account it means that they are either compromised or improperly configured, both of which would be interesting for a threat hunter.

### Conclusion

CrowdStrike Falcon Endpoint Protection makes it quick and easy to do proactive threat hunting. The Investigate App simplifies the task of hunting for known indicators of attack, and the Events App takes the full breadth of data available in the CrowdStrike Threat Graph and puts it at the administrator’s fingertips. While this empowers the administrator to perform their own threat hunting it is important to remember two other things about the CrowdStrike offering. First, our sensor is constantly undertaking threat hunting by looking for malicious behaviors (or Indicators of Attack) and either detecting or blocking them. This automates much of the threat hunting process and reduces the workload for our customers. Second, CrowdStrike offers Falcon Overwatch. This service is constantly performing proactive hunting across the entire Threat Graph, ensuring that all of our customers have world class threat hunting operations happening in their environment 24 hours a day.

### More Resources

Try CrowdStrike Free for 15 Days