GithubHelp home page GithubHelp logo

projecttime / crowdstrike-falcon-queries Goto Github PK

View Code? Open in Web Editor NEW

This project forked from pe3zx/crowdstrike-falcon-queries

0.0 1.0 0.0 5 KB

A collection of Splunk's Search Processing Language (SPL) for Threat Hunting with CrowdStrike Falcon

License: MIT License

crowdstrike-falcon-queries's Introduction

crowdstrike-falcon-queries

A collection of Splunk's Search Processing Language (SPL) for Threat Hunting with CrowdStrike Falcon

Developed and maintained by Intelligent Response team, i-secure co., Ltd.

Execution of Renamed Executables

This query is inspired by Red Canary's research. For explanation in Thai, please find in our blog.

Idea:

  • Identify if there are any events with file renaming activity — found that CrowdStrike Falcon already had a specific field name for executables, NewExecutableRenamed.
  • Correlate TargetFileName field on NewExecutableRenamed event with a filename available on ImageFileName field on ProcessRollup2 event.
  • Create a result table with ComputerName, timestamp, ImageFileName, and CommandLine as columns.
event_simpleName="NewExecutableRenamed"
| rename TargetFileName as ImageFileName
| join ImageFileName 
    [ search event_simpleName="ProcessRollup2" ]
| table ComputerName SourceFileName ImageFileName CommandLine

List of Living Off The Land Binaries with Network Connections

This query is inspired by Red Canary's research. For explanation in Thai, please find in our blog.

Idea:

  • Identify if there are any events relating to network activity — found that CrowdStrike Falcon has DnsRequest and NetworkConnectIP4 events. We’re going to use the DnsRequest event in this query.
  • Correlate ContextProcessId field from DnsRequest event with TargetProcessId on ProcessRollup2 event.
  • Create a sub-search to filter only known LOLBas files.
  • Create a result table with ComputerName, timestamp, ImageFileName, and CommandLine as columns.

Because our hunting query required a list of known LOL binaries/files for filtering, we need to enumerate a list of files available on LOLBAS-Project/LOLBas, which can simple by done by a grep expression: grep -Poh "(?<=Name:\s)[A-Za-z0-9_-]+.exe$" OSBinaries/

event_simpleName="DnsRequest"
| rename ContextProcessId as TargetProcessId
| join TargetProcessId 
    [ search event_simpleName="ProcessRollup2" (FileName=Atbroker.exe OR FileName=Bash.exe OR FileName=Bitsadmin.exe OR FileName=Certutil.exe OR FileName=Cmd.exe OR FileName=Cmstp.exe OR FileName=Control.exe OR FileName=Cscript.exe OR FileName=Csc.exe OR FileName=Dfsvc.exe OR FileName=Diskshadow.exe OR FileName=Dnscmd.exe OR FileName=Esentutl.exe OR FileName=Eventvwr.exe OR FileName=Expand.exe OR FileName=Extexport.exe OR FileName=Extrac32.exe OR FileName=Findstr.exe OR FileName=Forfiles.exe OR FileName=Ftp.exe OR FileName=Gpscript.exe OR FileName=Hh.exe OR FileName=Ie4uinit.exe OR FileName=Ieexec.exe OR FileName=Infdefaultinstall.exe OR FileName=Installutil.exe OR FileName=Jsc.exe OR FileName=Makecab.exe OR FileName=Mavinject.exe OR FileName=Mmc.exe OR FileName=Msconfig.exe OR FileName=Msdt.exe OR FileName=Mshta.exe OR FileName=Msiexec.exe OR FileName=Odbcconf.exe OR FileName=Pcalua.exe OR FileName=Pcwrun.exe OR FileName=Presentationhost.exe OR FileName=Print.exe OR FileName=Regasm.exe OR FileName=Regedit.exe OR FileName=Register-cimprovider.exe OR FileName=Regsvcs.exe OR FileName=Regsvr32.exe OR FileName=Reg.exe OR FileName=Replace.exe OR FileName=Rpcping.exe OR FileName=Rundll32.exe OR FileName=Runonce.exe OR FileName=Runscripthelper.exe OR FileName=Schtasks.exe OR FileName=Scriptrunner.exe OR FileName=Sc.exe OR FileName=SyncAppvPublishingServer.exe OR FileName=Verclsid.exe OR FileName=Wab.exe OR FileName=Wmic.exe OR FileName=Wscript.exe OR FileName=Wsreset.exe OR FileName=Xwizard.exe) ] 
| table ComputerName timestamp ImageFileName DomainName CommandLine

Suspicious Network Connections from Processes

This query is inspired by Red Canary's research. For explanation in Thai, please find in our blog.

Idea:

  • Identify network activities recorded by CrowdStrike falcon with the DNSRequest or NetworkConnectIP4 event, in this query we will use NetworkConnectIP4.
  • Correlate ContextProcessId_decimal with TargetProcessId_decimal on ProcessRollup2 events
  • Create a result table with RemoteIP, RemotePort_decimal, ImageFileName, UserName and UserSid_readable.
event_simpleName="NetworkConnectIP4"
| rename ContextProcessId_decimal as TargetProcessId_decimal
| join TargetProcessId_decimal 
    [ search event_simpleName=ProcessRollup2 ]
| table RemoteIP RemotePort_decimal ImageFileName UserName UserSid_readabl

Suspicious PowerShell Process, Spawned from Explorer, with Network Connections

This query is inspired by Red Canary's research. For explanation in Thai, please find in our blog.

Idea:

  • Identify network activities recorded by CrowdStrike falcon with the DNSRequest event
  • Correlate ContextProcessId field on DNSRequest with TargetProcessId on ProcessRollup2 and SyntheticProcessRollup2 events
  • With a combination of rename-join-subsearch, the outer nested sub-search will be created and responsible for identifying a TargetProcessId_decimal of Explorer.exe from ProcessRollup2 event, and then join with the inner nested sub-search that responsible to find PowerShell.exe which has the same ParentProcessId_decimal as TargetProcessId_decimal of Explorer.exe
  • Create a result table with ComputerName, timestamp, ImageFileName, DomainName, and CommandLine

Be aware that whenever ParentProcessId_decimal is used, you may need to extend a search scope longer than usual. Because some processes, especially system processes, usually have high uptime but been abused recently.

event_simpleName="DnsRequest"
| rename ContextProcessId as TargetProcessId
| join TargetProcessId 
    [ search (event_simpleName="ProcessRollup2" OR event_simpleName="SyntheticProcessRollup2") AND FileName="explorer.exe" 
    | rename TargetProcessId_decimal as ParentProcessId_decimal 
    | join ParentProcessId_decimal 
        [ search event_simpleName="ProcessRollup2" FileName="powershell.exe" ]] 
| table ComputerName timestamp ImageFileName DomainName CommandLine

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.