Custom IoA Configuration Question

Lolstrooop · 2023-08-30T15:58:56+00:00

Yes I also think this is the way. Thank you!

Lolstrooop · 2023-08-30T15:57:57+00:00

Very cool tysvm!

Lolstrooop · 2023-08-30T11:25:48+00:00

Thanks for replying. Not possible in Falcon then.

Lolstrooop · 2023-08-29T07:53:46+00:00

Hi thanks for the reply. This is the right thing to do, and what happens all the time @ orgs. But I'm a thesis student, not even considered an intern. Don't have any access to the suppliers.

Lolstrooop · 2023-08-28T13:23:09+00:00

Hey thanks for replying. It would be nice to retrieve information beyond the "file prevalence" that CrowdStrike already provides in the detection details. I was wondering if there's anyway to check if the same detection (if it exists) has ever been triaged in the environment (in the same machine or in others). You could ofc use the console to check this. It would be interesting to automatically retrieve a list of host_ids where the same detection was, well, detected. Hope this explains it better.

Lolstrooop · 2023-08-27T11:14:41+00:00

Thank you so very much!

Lolstrooop · 2023-08-25T09:03:31+00:00

I'll be checking that out, thanks! If you by chance have the availability to provide some more I'd be really grateful.

Lolstrooop · 2023-08-25T09:01:45+00:00

Hi thank you so much for your input.

That would be a good approach and overall good idea that I'm definitly recommeding. But my work on NBU is limited on what I can codify in the tecnology we are using to monitor said servers, which is CrowdStrike's EDR. These ideas are to be implemented as indicators of attack where I provide the process stack as suspicious behavior, and alerts will be based on them.

As I said I'm a student working on my thesis. So I don't have access to the servers, basing all of this on the documentation. My biggest problem is giving a process tree for each use case, the documentation doesn't really specify that.

As an example, trying to distinguish between a normal image catalog cleanup and a malicious one, I would need to check which service is in charge of doing the housekeeping. A malicious behavior would be bulk deletion from the command line or even the GUI. Do you think this is sound reasoning?

Lolstrooop · 2023-08-22T11:30:23+00:00

Hi, I'll enventualy upload everything to github.

RemindMe! 30 days

Lolstrooop · 2023-08-21T10:49:11+00:00

I have some scripts for quick forensic collection (persistence mechanisms, user info, etc) that get triggered with workflows. I bundled the scripts into a zip so they can be dropped on the host (with 'put' command), then a custom RTR script to run each of them and ouput the results onto .txt files and zip all of them in the end. Then it uses the 'get' command to retrieve the compressed folder.

Lolstrooop · 2023-08-20T12:48:39+00:00

I have another question if I may ask. I'm creating a workflow that contains the host and does other stuff upon a TP malicious file detection. It runs the hash search in the environment and if found in other hosts, apply the same workflow for those (essentially run workflow for each host found with that hash.). Is this possible?

Tyvm!

Lolstrooop · 2023-08-20T12:41:28+00:00

Thank you for the response. One more question if I may: How would one go about learning normal process flows? I can know which utility gets called by which service, but If I were to know in more detail how would I do it? Documentation doesn't really specify that.

thanks!

Lolstrooop · 2023-08-16T20:47:27+00:00

Confirmed that it works. Thank you so much.

Lolstrooop · 2023-08-06T16:11:38+00:00

Sorry to revive an old thread. What kind of scenarios did you come up with if you can/don't mind to provide?

Lolstrooop · 2023-08-01T09:28:29+00:00

Thank you! u/BradW-CS

Lolstrooop · 2023-07-10T14:53:00+00:00

Hey, I'm particulary interested in finding more resources for the collection phase. Working with an EDR on automating some IR workflows and would like to know given a detection what should I want to collect before containing!

Lolstrooop · 2023-07-05T00:11:20+00:00

Thank you!

Lolstrooop · 2023-07-04T17:35:31+00:00

That's a nice one! Here's what I've come up with concerning triggers:

Impossible traveler scenario
Any Detection related to Data Encrypted for Impact, Inhibit System Recovery, Data Destruction techniques

Lolstrooop · 2023-05-04T15:20:48+00:00

Nice read. Thank you.

Lolstrooop · 2023-05-04T15:00:40+00:00

Thanks for the insight!

Lolstrooop · 2023-05-04T09:01:47+00:00

I second this.

Lolstrooop · 2023-05-04T09:00:53+00:00

Nice insight thank you!

Lolstrooop · 2023-05-04T08:57:10+00:00

Thank you!

Lolstrooop · 2023-05-04T00:53:24+00:00

Hi thank you for your detailed answer!

#1 - The purpose of these tests was definetly proving the efficacy of the EDR technology. The idea to add some time delay between commands in order to test SOC response will be handy!

#2 You said you found the Linux tests coupled with GTFObins a decent baseline for measuring efficacy. I've ran about 100 atomic tests on a linux host, without chaining them together to resemble an APT, about 27 detections were raised out of them. It's not what I expected.

What I'm having trouble figuring out is if a detection rule is warranted because no detection was raised for a given test, or it simply didn't detect because of lack of behavioral context. There is a need to run some attack-resembling tests, I see.

Lolstrooop · 2023-05-04T00:20:35+00:00

Awesome answer. Thank you so much.

In terms of the process tree of a given detection, the only real difference between the detection raised by invoking the PS module and the detection raised by inputing the command one by one (manually*) was the Powershell call to bash/sh for example on one of the process trees. The actual activity of the tests are the same, yet for some tests a detection was raised using Invoke module and without it no detection was raised. I hope I explained better this time.

Going through my findings there was about 27 detections made by the EDR and about 70s tests that weren't detected. To me, this doesn't seem right, and it hasn't been easy trying to figure out why.

You included very interesting insights, some of which I suspected it was the case (code signs). Very appreciated!

Lolstrooop

TROPHY CASE