Gathering and using threat intelligence is a core capability in cyber security that most organizations are still learning. As these capabilities mature in organizations, having access to broader data sets becomes more critical. This is where Falcon MalQuery (CrowdStrike’s Malware Search Engine) comes into play.
Falcon MalQuery is a search engine for malware that allows you to search and attribute samples from your investigations. Having access to such a vast collection of samples is critical to making better determinations regarding the source, code reuse, and familial attributes of the malware you are researching. Access to a vast data set will also aid in the hunting, prevention, and YARA rule creation & monitoring process.
- Over 1 Billion Samples going back 5 years
- Indexed for fast searching
- Flexible search capabilities for strings, hex, or even YARA rules
Below illustrates the typical Malware research process that many organizations adopt and MalQuery exists to simplify each aspect of the research process.
In this video we’ll go over the purpose behind MalQuery and how you can use it to aid in your malware research process.
A Day in the Life
As a malware researcher, you encounter an unmanaged asset not protected by CrowdStrike, that has been infected with Ransomware. Where do you start? With MalQuery we can start our investigation with a unique string related to the sample. In our example we’re going to take the Bitcoin wallet ID to see if we can find other samples using the same wallet and determine if it’s been seen elsewhere in our environment.
With the Bitcoin wallet ID copied, we’ll search MalQuery’s database for related samples:
In the search results we can get a timeline of when samples containing this wallet ID were first seen. We can also get an idea of the malware families related to the wallet ID.
Taking things even further, we can download the sample to investigate for other characteristics.
After downloading the sample we’ll use the “strings” utility to extract all readable characters and identify any unique messages inside the binary file. Performing a quick ocular patdown we find a string of interest; the ransom message. We can use MalQuery to identify any other samples with the same message.
Searching for the ransom message yields results, and we can see that samples go as far back as 2016 and give us an idea of their delivery method and possible malware family.
Hex Based Search
Another important aspect of malware research is being able to search based on hex values within your library of malware. This gives you the ability to quickly identify other samples with similar byte patterns.
Actor Attribution and Intelligence Reports
Beyond identifying other samples with the same characteristics you will be able to identify possible adversaries and review reports related to their techniques, tactics, and procedures. CrowdStrike offers a variety of intelligence reports that are released weekly or in response to an emerging threat. The intel reports are also catered to specific verticals (government, financial, technology, etc…), threat actors, and motivations.
YARA Rule Validation
Another reason MalQuery is so unique is that it gives you the ability to validate YARA rules against CrowdStrike’s extensive library of malware. Validating your YARA rules against our malware library is crucial because it helps prevent false positives and provides understanding of rule scope. Performing YARA rule validation in MalQuery takes seconds or minutes rather than days as you might experience with a self-maintained and incomplete body of malware samples.
YARA Rule Monitoring
YARA Monitoring automatically runs saved YARA rules new files are loaded into MalQuery. Any monitored YARA rule will allow you to receive notifications for any files that match your search. Notification options are available via email or the MalQuery API.
Falcon MalQuery is a malware search engine that provides you quick access to a continually updated malware library (over 1 billion samples) and provides you with unique capabilities such as YARA rule validation and monitoring. Falcon MalQuery is a part of Falcon X premium or is offered as a standalone capability.
- CrowdStrike 15-Day Free Trial
- CrowdStrike Tech Center
- Sign up for a weekly Falcon demo
- Request a 1:1 Demo
- Guide to AV Replacement
- CrowdStrike Products
- White Paper on Falcon OverWatch
How to Contain an Infected System
Hi, there. My name’s Peter Ingebrigtsen. And today, we’ve logged into the falcon.crowdstrike.com, or the Falcon User Interface.
And what we’re going to do is take a look at some of our systems and recognize that some of them are either currently under attack or recently been under attack, and may have been compromised. And we’d like to contain that system until we can further get to it, get our hands on it, and get a little bit more information out of it, or just prevent it from doing any more damage than it’s already done.
In order to do that, you need to be on your Detections app. You can do that by going to the radar here on the left-hand side. If you’re not already, or if your user interface doesn’t open that when you first log in, head there. And then just select the Recent Detections.
When that opens, you’ll notice that you can filter by any number of criteria, but we’re looking at some of the more recent events or situations that are going on. And you’ll notice that the same single machine has noticed a lot of different scenarios with privilege escalation or web exploits. And these severities are high to critical.
And we’d like to log in there, maybe do a little something, take a little closer look, and see if there’s something we should do. Obviously, we should do something. And as we start to dig through here, we see that there’s a lot of detection patterns, whether that be known malware, credential theft, or web exploits. We can see in the process tree a lot of different commands that were issued that look at that privilege escalation that we noticed earlier– or start to set that up.
So, we know that there’s something bad going on, and we’d like to take action right away. So, what we want to do is network contain this machine. But what I want to show you, as well, is that as we do this– I’m going to go to the machine itself. And I’d like to start a continuous ping so that you can watch the behavior and how long it takes to respond to this network containment.
Now, while we contain this– or take this machine off the network– we don’t kill the connection to the CrowdStrike Cloud. So, that as we get our hands on it– we clean it up, we feel comfortable putting it back on to the network– we can still operate or control that machine through the user interface that we have here.
The other thing I’d like to do is start a large download, so that we initiate with a single TCP connection– and there happens to be one in process– as opposed to the ping, where there may be multiple TCP resets or individual TCP threads going every time. So that you can see that as we contain this machine, it literally just knocks it off the network.
Forgive my screen, but I’ve changed the resolution for YouTube and for appearance purposes.
But as I come in here– and this will be right at the middle of the screen– this actually says Device Actions. And I’d like to contain it.
Now, as we do that, we have some options to make some notes. Contained by Peter. Multiple threats observed. Whatever notes you’d like to make– and then select Contain.
Now, the second we do this, on the left-hand side, you’ll see how quickly it takes for that to respond. So, immediately, almost in real time, you see a network failure on the download, and the ping test– or the continuous ping fail. So, we can close that.
Now, let’s say we’re a couple days later, this machine’s cleaned up, ready to go, and be put back in the network. You can go ahead and lift the network containment, again, from the user interface. We still have that connection to the machine, even though all the other network connections have been terminated.
So, as we do that, all good. Uncontain. And you’ll notice that almost immediately that ping starts to fire right back up again.
So, network containment is a powerful tool that we can use if we see something immediately taking action or if we see something recently in the past, and we’d like to get that machine off the network– almost quarantine it– so that it can’t do any more damage.
So, this has been network containment of network devices in the Falcon Sensor User Interface platform. Thanks again for watching.