How to Hunt for Threat Activity with Falcon Endpoint Protection

Introduction to Threat Hunting with Falcon Endpoint Protection

CrowdStrike Falcon offers a powerful set of features that can be used to hunt for threat activity in your environment. The Falcon endpoint sensor is constantly monitoring and recording endpoint activity and streaming it to the CrowdStrike Threat Graph in the cloud. The data gathered by Falcon is metadata, including things like process execution, network connections, file system activity, user information, service details, script activity and admin tool usage. Storing this data in the Threat Graph ensures that the data is always available (even while endpoints are offline) and also ensures that it can be searched in real time and retrospectively – even the largest environments can get results in seconds.

CrowdStrike Falcon provides two applications for threat hunting. The first is the Investigate App. This is designed to take the complexity out of threat hunting so that anyone can quickly understand their exposure to known threats. The second is the Events App. This is meant for power users who want full access to the data in the Threat Graph so that they can do more advanced, proactive threat hunting. This document will cover both apps in detail.

Threat Hunting Demo Video


Read Video Transcript

Prerequisites

In order to perform threat hunting with Falcon, the following requirements must be met:

  • Client operating system: Windows 7 SP1 or higher (and server equivalents), Mac OS X Yosemite or higher, RHEL or CenOS 6 or higher, Ubuntu 14.04
  • For advanced threat hunting, the Events App must be enabled

Investigate App: Step-By-Step Procedure

The Investigate App allows administrators to search for indicators of compromise in their environment. This aids in understanding their exposure to known threats, while also providing the ability to drill-down and pivot to explore the context around malicious and suspicious activity. All searches are conducted on the CrowdStrike Threat Graph. This ensures that you get immediate results no matter how large your organization, and it also ensures that you get results from both online and offline systems.

Step 1

Go to CrowdStrike Falcon Endpoint Protection Login Page and login

login-screen

Step 2

Navigate to the Investigate App and click on Bulk Domain Search Tab

bulk-domain-search

 

Step 3

Enter a domain. In this example, we insert multiple domains. Note that they are separated by a space and that only the domain name is required (there is no need to enter http:// or https:// or www.). Click submit to begin the search.

domains

The search will now query all of your data in the Threat Graph. If any system in your environment has ever connected to one of these domains, you will see a result. If the search result area is blank, it means that none of your systems have tried to connect to that domain. In the image below, we expand the Bulk Domain Search query from step 4 to include google.com (this is a quick way to verify that the feature is working). In this example, we see connections to google.com but not to any of the malicious domains that we included in the search.

discovered-domains

Step 4

Click on the Hash tab to move to the hash search screen

bulk-hash-tab

Step 5

To search for a file in your environment, you will need to specify the filename, MD5 hash or SHA256 hash. In this example, we use a SHA256 hash from an indicator of compromise (IOC) and also set the search time range to 30 days. Click submit to execute the search.

search-hash

Step 6

If the file has been encountered in your environment, you will see results similar to the image below. Note that almost all elements of the search results are links, allowing you to further explore and understand the file’s impact.

hash-detected

Step 7

To continue the investigation, click on the hostname (the second column in the Hosts that loaded specific hash section). This is a system where the file has been seen. Clicking on the hostname will bring you to a screen that shows all activity on that system. You can see that Falcon has detected and prevented a number of malicious activities on the system, including attempted malware execution and also suspicious activity that looks like a lateral movement attempt. By getting a hit on the original file hash search, it looks like we have uncovered a more advanced intrusion attempt.

host-detection-hash

Events App: Step-By-Step Procedure

The Events App is for power users who want to access all of their data in the CrowdStrike Threat Graph. It leverages the Splunk search interface to handle complex queries that are often required for more advanced threat hunting. In this section, we will review three advanced hunting queries from our Threat Hunting Guide. This document is available to all CrowdStrike customers, partners and individuals who are testing the product. To request the full document, please contact us.

Step 1

Navigate to the Events App

navigate-to-events

Step 2

Click into search box, then set search time frame to Last 24 Hours. You can begin with simple, one-word searches like specifying a hostname, username or file hash. Click the search icon (magnifying glass) to begin the search. You will get results similar to the image below.

basic-host-search

Step 3

Clear the contents of the search bar and paste the following syntax. Then hit the search icon to execute the search.


event_simpleName=ProcessRollup2 FileName=powershell.exe (CommandLine=*-enc* OR CommandLine=*encoded*) | table ComputerName UserName FileName CommandLine

 

This search looks for encoded PowerShell commands that have executed in your environment. This activity is interesting to threat hunters because legitimate administrators typically do not encode their PowerShell commands. However, this is very common activity for attackers. The image below indicates what it looks like when encoded PowerShell commands have been executed in your environment.

Results are consolidated by tabs.  There are four tabs; Events, Patterns, Statistics and Visualization.  Explore each tab to see the different results available.

search-1-with-tabs

Step 4

Clear the contents of the search bar and paste the following syntax. Then hit the search icon to execute the search.


aid=* event_simpleName="DnsRequest" | rename ContextProcessId as TargetProcessId | join TargetProcessId [search aid=* event_simpleName="ProcessRollup2" ImageFileName="*notepad.exe"] | table ComputerName timestamp ImageFileName DomainName CommandLine

 

This search is designed to look for network connections coming from applications that typically don’t make network connections. In this example, we look across the entire environment for instances where notepad.exe attempts to make outbound connections. This information is useful for threat hunters because notepad.exe should never be making outbound connections, so any hit against this search almost certainly indicates a threat.

Step 5

Clear the contents of the search bar and paste the following syntax. Then hit the search icon to execute the search.


event_simpleName="ProcessRollup2" (FileName=w3wp.exe OR FileName=sqlservr.exe OR FileName=httpd.exe OR FileName=nginx.exe) UserName="LOCAL SYSTEM" | dedup aid | table ComputerName UserName ImageFileName CommandLine

 

This search is designed to look for inappropriate use of the Local System account. Web servers and database servers should not be configured to use this account, instead they should have dedicated accounts with restricted privileges. If those servers are seen using this account it means that they are either compromised or improperly configured, both of which would be interesting for a threat hunter.

search-2

Conclusion

CrowdStrike Falcon Endpoint Protection makes it quick and easy to do proactive threat hunting. The Investigate App simplifies the task of hunting for known indicators of attack, and the Events App takes the full breadth of data available in the CrowdStrike Threat Graph and puts it at the administrator’s fingertips. While this empowers the administrator to perform their own threat hunting it is important to remember two other things about the CrowdStrike offering. First, our sensor is constantly undertaking threat hunting by looking for malicious behaviors (or Indicators of Attack) and either detecting or blocking them. This automates much of the threat hunting process and reduces the workload for our customers. Second, CrowdStrike offers Falcon Overwatch. This service is constantly performing proactive hunting across the entire Threat Graph, ensuring that all of our customers have world class threat hunting operations happening in their environment 24 hours a day.

More Resources

 

 

Stop Breaches with CrowdStrike Falcon request a live demo