How to Hunt for Threat Activity with CrowdStrike Falcon® Endpoint Protection

In this video, we will demonstrate how to hunt for threat activity in your environment with CrowdStrike Falcon®. First, we see how you can use Falcon to search for indicators of compromise (IOCs). Then we take a broader look at how we can use built-in dashboards to quickly uncover and investigate suspicious activity. Finally, we see how power users can craft precise queries to search for new and unique attacker tactics, techniques and procedures (TTPs) on data stored in the CrowdStrike Threat Graph.

More Resources:

Read Video Transcript

How to Hunt for Threat Activity with Falcon Host Endpoint Protection

The Falcon user interface has lots of tools to help you hunt for threat activities in your organization. Today, I’m going to help you walk through and give a few examples of some of these.

We’ll start off with dashboards. There are three types of dashboards, the executive summary, which is a high level overview of everything that’s going on in your organization, the detection activity, which is different ways to organize the detections in your organization, and then, finally, the detection resolution, which are the cases that have been opened and closed and then organized in different reports.

Today, we’re going to focus on the detection activity dashboard. The detection activity dashboard leaves out detections in a multitude of ways. Initially at the top, we have just detection, so the more recent detections are listed from top to bottom. Then towards the middle of the page, we have detection count by scenario, device count by scenario, and then detection count by severity and device count by severity. And then we also have this geographical breakdown here as well. Below this section, you’ll see the detections are divided into hosts, users, files, and then detection by scenario, severity, and then host, and hash at the very bottom. If you come in from lunch or back from your weekend and you’d like to look at your detections and prioritize highest to lowest, you could just come in here into the dashboards and click on high. Doing so will take you over to the activity dashboard and lists all of your detections with the severity high, you’ll notice the filter at the top. Then selecting any of the alerts, you can get additional information about that particular event. Here we can see that the Metasploit’s meterpreter has been loaded into a process. This may be an alarming process and completely unexpected, at which point you’d like to take action. You can do that here by just coming and clicking this network contain action or you can create a new case, set the status, assign to a particular user, and enter a comment, and then update. Using the dashboards, we’ve gone from high level overview of detections to very granular individual detection and being able to take action immediately whether that to contain it or assign it to a specific case.

Next, we’ll look at the Investigate App and, specifically, the bulk domain search. Today, many people use IOCs as a way of searching for events in their organization that they may or may not be aware of. Here we’re going to look at bulk domain search. And using the malware domain list.com list and using the CrowdScrape plug-in, we’ll scrape all of the domains from this particular page to search for it in our environment. Back in the bulk domain search, you can just paste the list here. The format is a space between each particular domain that you’re looking for. If for whatever reason that is configured incorrectly, that particular domain or domains will be skipped and the rest will be searched. A quick look here identifies that Hotmail.com was on that suspicious list. If we’d like to dig in further, we can use the VirusTotal to verify that the process that looked up the specific domain was good or perhaps malicious. In this case, we see that it chrome.exe, and using this service, that no one has it is a malicious process. If we do suspect that the process might be malicious, we can also contain the host directly from the domain search page here.

Finally, the event search is another way to hunt for threat activities in our organization. Some of you may recognize this as a spunk query language. And if you’re familiar with that, then great. However, if you’re not, our hunting ninjas have created a hunting guide that you can find here in the support app under documents. The Falcon Host hunting guide for Windows categorizes a handful of different search queries that you can use to look for different types of events in your organization.

Let’s start off by looking at suspicious processes. While PowerShell is a common tool used in every organization, it’s very uncommon for PowerShell to be running encoded commands. Searching for this command here in our organization will give us a list of computers who are running encoded PowerShell on their systems. This might be a good indicator that that system has been compromised and those searches or commands are being carried out in an attempt to keep from being discovered. We can quickly see that there are two different events in our organization. And going over from the Statistics tab to the Events tab, we can see these events laid out in a different way providing context around each individual event. We can also see the full command that was given or passed in that PowerShell session. You may be interested in finding servers that are running under a local system account. This could be one of two things. One, that we have servers that are improperly configured, or it could mean it’s owned and someone has escalated privileges in trying to carry out commands on that server.

Back to your Events App, we merely copy and paste and see if we find anything in our organization. In this case, we do see that there is a server that is running with local system privileges. This may be nothing, but it also may be something worth investigating. Apparently moving back to the hunting guide, perhaps we’ve identified a few things that might be suspicious, but we’d like to look a little bit further. We’d like to see if anyone is using any remote desktop protocol to talk to or connect to those servers that we’ve identified as suspicious. Copying this command here and pasting it back into the Event tab will give us that type of visibility. And again, we see the remote desktop was used to access the server that we previously identified was running local system privileges. This might be something that needs to be addressed right away.

Using the Falcon interface and the different tools such as the dashboard, the investigate app, and the event app, provides you all the search capabilities you need to identify threats in your organization.

TECHNICAL CENTER

  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.

Visit the Tech Center