Introduction to Threat Hunting with Falcon Endpoint Protection
CrowdStrike Falcon offers a powerful set of features that can be used to hunt for threat activity in your environment. The Falcon endpoint sensor is constantly monitoring and recording endpoint activity and streaming it to the CrowdStrike Threat Graph in the cloud. The data gathered by Falcon is metadata, including things like process execution, network connections, file system activity, user information, service details, script activity and admin tool usage. Storing this data in the Threat Graph ensures that the data is always available (even while endpoints are offline) and also ensures that it can be searched in real time and retrospectively – even the largest environments can get results in seconds.
CrowdStrike Falcon provides two applications for threat hunting. The first is the Investigate App. This is designed to take the complexity out of threat hunting. The second is the Events App. This is meant for users who want full access to the data in the Threat Graph which allows for more advanced, proactive threat hunting. This document will cover both apps in detail.
Threat Hunting Demo Video
Investigate App: Hunting Scenarios
The Investigate App allows administrators to search for indicators of compromise in their environment. This aids in understanding their exposure to known threats, while also providing the ability to drill-down and pivot to explore the context around malicious and suspicious activity. All searches are conducted on the CrowdStrike Threat Graph. This ensures that you get immediate results no matter how large your organization, and it also ensures that you get results from both online and offline systems.
Go to CrowdStrike Falcon Endpoint Protection Login Page and login
Navigate to the Investigate App and click on Bulk Domain Search Tab
Scenario 1 – Domain Search
Enter a domain. In this example, we insert multiple domains. Note that they are separated by a space and that only the domain name is required (there is no need to enter http:// or https:// or www.). Click submit to begin the search.
The search will now query all of your data in the Threat Graph. If any system in your environment has ever connected to one of these domains, you will see a result. If the search result area is blank, it means that none of your systems have tried to connect to that domain. In the image below, we expand the Bulk Domain Search query from step 4 to include google.com (this is a quick way to verify that the feature is working). In this example, we see connections to google.com but not to any of the malicious domains that we included in the search.
Scenario 2: Hash Search
Click on the Hash tab to move to the hash search screen
To search for a file in your environment, you will need to specify the filename, MD5 hash or SHA256 hash. In this example, we use a SHA256 hash from an indicator of compromise (IOC) and also set the search time range to 30 days. Click submit to execute the search.
If the file has been encountered in your environment, you will see results similar to the image below. Note that almost all elements of the search results are links, allowing you to further explore and understand the file’s impact.
Scenario 3: Pivot to Host Search
Directly from the “Hash Search” page, click on the hostname (the second column in the Hosts that loaded specific hash section). This is a host where the hash has run. Clicking on the hostname will bring you to a screen that shows all activity on that system, including information not related to suspicious activity. Falcon has detected and prevented a number of malicious activities on the system, including attempted malware execution and also suspicious activity that looks like a lateral movement attempt. By getting a hit on the original file hash search, it looks like we have uncovered additional suspicious behavior.
Scenario 4: PowerShell Activity
The Events App is for power users who want to access all of their data in the CrowdStrike Threat Graph. It leverages the Splunk search interface to handle complex queries that are often required for more advanced threat hunting. In this section, we will review three advanced hunting queries from our Threat Hunting Guide. This document is available to all CrowdStrike customers, partners and individuals who are testing the product. To request the full document, please contact us.
Navigate to the Events App
Click into search box, then set search time frame to Last 24 Hours. You can begin with simple, one-word searches like specifying a hostname, username or file hash. Click the search icon (magnifying glass) to begin the search. You will get results similar to the image below.
Clear the contents of the search bar and paste the following syntax. Then hit the search icon to execute the search.
event_simpleName=ProcessRollup2 FileName=powershell.exe (CommandLine=*-enc* OR CommandLine=*encoded*) | table ComputerName UserName FileName CommandLine
This search looks for encoded PowerShell commands that have executed in your environment. This activity is interesting to threat hunters because legitimate administrators typically do not encode their PowerShell commands. However, this is very common activity for attackers. The image below indicates what it looks like when encoded PowerShell commands have been executed in your environment.
Results are consolidated by tabs. There are four tabs; Events, Patterns, Statistics and Visualization. Explore each tab to see the different results available.
Scenario 5: Inappropriate Local System Account Usage
Clear the contents of the search bar and paste the following syntax. Then hit the search icon to execute the search.
event_simpleName="ProcessRollup2" (FileName=w3wp.exe OR FileName=sqlservr.exe OR FileName=httpd.exe OR FileName=nginx.exe) UserName="LOCAL SYSTEM" | dedup aid | table ComputerName UserName ImageFileName CommandLine
This search is designed to look for inappropriate use of the Local System account. Web servers and database servers should not be configured to use this account, instead they should have dedicated accounts with restricted privileges. If those servers are seen using this account it means that they are either compromised or improperly configured, both of which would be interesting for a threat hunter.
CrowdStrike Falcon Endpoint Protection makes it quick and easy to do proactive threat hunting. The Investigate App simplifies the task of hunting for known indicators of attack, and the Events App takes the full breadth of data available in the CrowdStrike Threat Graph and puts it at the administrator’s fingertips. While this empowers the administrator to perform their own threat hunting it is important to remember two other things about the CrowdStrike offering. First, our sensor is constantly undertaking threat hunting by looking for malicious behaviors (or Indicators of Attack) and either detecting or blocking them. This automates much of the threat hunting process and reduces the workload for our customers. Second, CrowdStrike offers Falcon Overwatch. This service is constantly performing proactive hunting across the entire Threat Graph, ensuring that all of our customers have world class threat hunting operations happening in their environment 24 hours a day.
- CrowdStrike Tech Center
- Sign up for a weekly Falcon demo
- Request a 1:1 Demo
- Guide to AV Replacement
- CrowdStrike Products
- Falcon OverWatch
How to Hunt for Threat Activity with Falcon Host Endpoint Protection[INTRO MUSIC]
The Falcon user interface has lots of tools to help you hunt for thread activities in your organization. Today, I’m going to help you walk through and give a few examples of some of these.
We’ll start off with dashboards. There are three types of dashboards, the executive summary, which is a high level overview of everything that’s going on in your organization, the detection activity, which is different ways to organize the detections in your organization, and then, finally, the detection resolution, which are the cases that have been opened and closed and then organized in different reports.
Today we’re going to focus on the detection activity dashboard. The detection activity dashboard leaves out detections in a multitude of ways. Initially at the top, we have just detection, so the more recent detections are listed from top to bottom. Then towards the middle of the page, we have detection count by scenario, device count by scenario, and then detection count by severity and device count by severity. And then we also have this geographical breakdown here as well. Below this section, you’ll see the detections are divided into hosts, users, files, and then detection by scenario, severity, and then host, and hash at the very bottom.
If you come in from lunch or back from your weekend and you’d like to look at your detections and prioritize highest to lowest, you could just come in here into the dashboards and click on high. Doing so will take you over to the activity dashboard and lists all of your detections with the severity high, you’ll notice the filter at the top. Then selecting any of the alerts, you can get additional information about that particular event.
Here we can see that Metasploit’s meterpreter has been loaded into a process. This may be an alarming process and completely unexpected, at which point you’d like to take action. You can do that here by just coming and clicking this network contain action or you can create a new case, set the status, assign to a particular user, and enter a comment, and then update. Using the dashboards, we’ve gone from high level overview of detections to very granular individual detection and being able to take action immediately whether that to contain it or assign it to a specific case.
Next, we’ll look at the investigate app and, specifically, the bulk domain search. Today, many people use IOCs as a way of searching for events in their organization that they may or may not be aware of. Here we’re going to look at bulk domain search. And using the malware domain list.com list and using the CrowdScrape plug-in, we’ll scrape all of the domains from this particular page to search for it in our environment. Back in the bulk domain search, you can just paste the list here. The format is a space between each particular domain that you’re looking for. If for whatever reason that is configured incorrectly, that particular domain or domains will be skipped and the rest will be searched.
A quick look here identifies that Hotmail.com was on that suspicious list. If we’d like to dig in further, we can use the VirusTotal to verify that the process that looked up the specific domain was good or perhaps malicious. In this case, we see that it chrome.exe, and using this service, that no one has it is a malicious process. If we do suspect that the process might be malicious, we can also contain the host directly from the domain search page here.
Finally, the event search is another way to hunt for threat activities in our organization. Some of you may recognize this as a spunk query language. And if you’re familiar with that, then great. However, if you’re not, our hunting ninjas have created a hunting guide that you can find here in the support app under documents. The Falcon Host hunting guide for Windows categorizes a handful of different search queries that you can use to look for different types of events in your organization.
Let’s start off by looking at suspicious processes. While PowerShell is a common tool used in every organization, it’s very uncommon for PowerShell to be running encoded commands. Searching for this command here in our organization will give us a list of computers who are running encoded PowerShell on their systems. This might be a good indicator that that system has been compromised and those searches or commands are being carried out in an attempt to keep from being discovered.
We can quickly see that there are two different events in our organization. And going over from the Statistics tab to the Events tab, we can see these events laid out in a different way providing context around each individual event. We can also see the full command that was given or passed in that PowerShell session.
You may be interested in finding servers that are running under a local system account. This could be one of two things. One, that we have servers that are improperly configured, or it could mean it’s owned and someone has escalated privileges in trying to carry out commands on that server. Back to your events app, we merely copy and paste and see if we find anything in our organization. In this case, we do see that there is a server that is running with local system privileges. This may be nothing, but it also may be something worth investigating.
Apparently moving back to the hunting guide, perhaps we’ve identified a few things that might be suspicious, but we’d like to look a little bit further. We’d like to see if anyone is using any remote desktop protocol to talk to or connect to those servers that we’ve identified as suspicious. Copying this command here and pasting it back into the Event tab will give us that type of visibility. And again, we see the remote desktop was used to access the server that we previously identified was running local system privileges. This might be something that needs to be addressed right away.
Using the Falcon interface and the different tools such as the dashboard, the investigate app, and the event app, provides you all the search capabilities you need to identify threats in your organization.[MUSIC PLAYING]