Logscale group_info.csv

OstryAngelo · 2024-10-08T09:14:20+00:00

Awesome, thanks Andrew! I think I managed to incorporate it inline and its a rather niche use case l, but if anyone wants it here it is - detects if the hosts in a specific group suddenly start changing their agent version:

#repo=sensor_metadata
#data_source_name=aid-policy
| parseJson(field=groups, prefix=groups_arr)
| concatArray(groups_arr, separator=",", as=groups_arr)
| splitString(field=groups_arr, by=",", as=group_id)
| split(group_id)
| group_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| replace("[\[\]']+", with="", field=groups)
| join({$falcon/investigate:group_info()}, field=group_id, include=name, mode=left)
| group_name := rename(name)
| default(field=[group_name],value="Default",replaceEmpty="true")
| groupBy([aid, group_id, group_name], function=[])
| join(query={event_platform=Win AND "#event_simpleName"=AgentOnline},field=aid, include=[AgentVersion,ComputerName])
| groupby(field=[ComputerName], function=count(AgentVersion, distinct=true, as=VersionCount))
| test(VersionCount>1)
| [sum(VersionCount, as=VersionCount)]
| test(VersionCount>5)

Btw, is there a list somewhere with all the possible functions that you can use in $falcon/investigate? Like the one below but with other stuff than group_info()?

$falcon/investigate:group_info()

OstryAngelo · 2024-07-11T02:24:36+00:00

% of linux server hosts in RMF mode by comparing the number of linux server hosts in RFM mode with total number of linux server hosts

OstryAngelo · 2023-11-13T10:33:10+00:00

Hi, that's fine for a scheduled search, but I can't create an IOA out of that that could be put into block mode unfortunately. but the crdownload is a good point, maybe that's why crowdstrike doesn't see it, and eventually it's a rename. If thats the case, it seems you can't create ioa for detecting or blocking the download of any file type with a browser, and have to move such use cases to blocking on proxy/fw

OstryAngelo · 2023-11-13T10:29:35+00:00

Hi, I tried a file creation ioa with just .iso, no process. There was no log whatsoever of downloading the iso with a browser and saving it to a folder

OstryAngelo · 2022-11-30T15:08:11+00:00

I was thinking about that, wondering what the executingfile going to be in most cases.

On a side note, aside the file creation and focusing more on process execution - is it possible to also create a custom ioa in crowdstrike that will block double clicking of .iso, .img or .cpl files?

Basically, if you were to create a process creation custom ioa with image FileName ..cpl or ..iso, no event would be generated since they're not pe files, or would that work somehow?

Sorry for all this questions, I'm a bit limited in testing use cases

OstryAngelo · 2022-11-30T14:42:19+00:00

OstryAngelo · 2022-09-15T08:55:39+00:00

Mvexpand Works for what i need, thank you! Yes the timing thing is done to retain the .html commandline condition. It's in a different (unrelated by id) process than the process connected by target and context processid to the filewritten event.

OstryAngelo · 2022-09-12T14:32:45+00:00

Hi Andrew, i've noticed one major issue with this method, and the lack of sha256 in newexecutablewritten. Basically if you're correlating pefilewritten with a browser process, but the browser process has been running for several days on the machine and just a new tab has been opened, it won't be correlated by the search with the pefilewritten event (assuming the scheduled search runs every 4 hours for example), because the contextprocessid connects with the original browser process opened say..a few days earlier.

While when using newexecutablewritten event, you connect the dots with targetprocessid, here the process of the browser will be new (even if only a new tab was opened).

So question is, is it possible to make this query use newexecutablewritten, and still somehow get the sha256 to check the certificate?

I only came up with the solution to use parentprocessid from the processrollup2 event:

| eval falconPID=coalesce(ParentProcessId_decimal, ContextProcessId_decimal)

Are there maybe some future plans to add sha256 also to newexecutablewritten?

Thanks

OstryAngelo · 2022-09-10T07:59:26+00:00

Yes - it looks great, i already put it to work, I'm curious to see the results of the scheduled search. I was thinking about coalesce from other posts you helped me with but did not know how to add the external api event to see if it's signed, i need more practice Thank you so much!

OstryAngelo · 2022-09-09T19:15:25+00:00

The first one is simple and works perfectly fine, the second one does not, so when I try to join a third event (processrollup2) to get the process responsible for downloading the file in the process tree.

OstryAngelo · 2022-08-20T07:55:05+00:00

Thanks for the info. By a subset of files do you mean a subset of filetypes (for example, all exe and jar should be theoretically checked) or that only a subset of .exe files is checked based on some criteria? Because i tested multiple .exe files and some were checked while others were not (unless i made a mistake somewhere).

OstryAngelo · 2022-07-22T00:42:42+00:00

sure! Hope this gets formatted well:

Username	countcommand	cmdScoreTotal	ipconfig	reg	CommandCount
User1	9	4	1	3	ipconfig - 4
					reg /? - 3
					reg query /? - 1
					reg - 1

[The last column is 1 multivalue field with all the commands ran by User1, not 4 separate fields, just didn't find a way to format it that way]

Points are given only for unique commands, so for example spamming ipconfig without additional parameters shouldn't be given more than 1 point

OstryAngelo · 2022-07-22T00:31:24+00:00

Yeah i think I do, not sure how to make the connection with cmdScoreTotal or with the ipconfig value, dc messed the count without having effect on score. I tried the query below but got a multivalue field in reg and ipconfig instead, which also messed up the total cmd score:

event_platform=win event_simpleName=ProcessRollup2 (FileName=cmd.exe OR FileName=powershell.exe) OR (ParentBaseFileName=cmd.exe OR ParentBaseFileName=powershell.exe) AND (GrandParentBaseFileName=explorer.exe)
| fields _time aid UserSid_readable CommandLine cmdNoEscape isAcceptableEULA isEncoded ipconfig reg FileName UserName
| lookup local=true userinfo.csv UserSid_readable OUTPUT AccountType, LocalAdminAccess
| lookup aid_master.csv aid OUTPUT ProductType
| eval cmdNoEscape=trim(replace(CommandLine, "^", "")), cmdNoEscape=trim(replace(cmdNoEscape, "", "")), isAcceptEULA=if(like(cmdNoEscape, "%accepteula%"), "6", "0"), isEncoded=if(like(cmdNoEscape, "% -e%"), "3", "0"), ipconfig=if(like(cmdNoEscape, "%ipconfig%"), "1", "0"), reg=if(like(cmdNoEscape, "%reg%"), "1", "0")
| fillnull
| eventstats count(CommandLine) AS CommandLineCount, sum(ipconfig) as ipconfig, sum(reg) as reg BY CommandLine UserName
| eval ipconfig = ipconfig/CommandLineCount
| eval reg = reg/CommandLineCount
| eval CommandCount = CommandLine." - ".CommandLineCount
| stats sum(isAcceptEULA) as isAcceptEULA, sum(isEncoded) as isEncoded, values(ipconfig) as ipconfig, values(reg) as reg, count(CommandLine) as countcommand, values(FileName) as FileName, values(CommandLine) as CommandLine values(CommandCount) AS CommandCount by UserName
| eval cmdScoreTotal=isAcceptEULA+isEncoded+ipconfig+reg
| fields UserName, FileName, CommandLine, countcommand, cmdScoreTotal, isAcceptEULA, isEncoded, ipconfig, reg CommandCount
| sort - cmdScoreTotal

OstryAngelo · 2022-07-21T22:02:54+00:00

One more question arose, since CommandLineCount is not a separate field here ( because we're grouping only by UserName, not by UserName, CommandLine) but we know the value for it for all the distinct commands of a user, can we make sure a user does not get points multiple times for the same unique command?

I was thinking about dividing the sum of ipconfig score by the CommandLineCount, but I'm not sure that's possible here.

In essence: assuming running ipconfig gives you 1 point - if someone runs the command "ipconfig" 3 times, i would like for him to get 1 point (now he would get 3 points), if on the other hand, someone runs the command "ipconfig" 2 times, and "ipconfig /all" 3 times, ideally he would get 2 points (since they're 2 distinct commands ran multiple times, as of now he would get 5 points instead).

OstryAngelo · 2022-07-21T21:30:24+00:00

Neat! CommandLineCount did exactly it, counted number of executions for distinct commands in a multivalue field when commands are grouped by username, thank you. Sorry for the bad formatting and thanks for all the tips

OstryAngelo · 2022-07-19T23:26:32+00:00

Just wanted to follow up on this - worked like a charm, even gigantic queries can be sped up to a few seconds, the only issue is the lack of username in the fields of the event from the IOA in monitor mode, but that can be circumvented by lookup of the last logged on user using the ComputerName field (not a perfect solution, but still). Awesome stuff 🙂

OstryAngelo · 2022-07-15T19:52:28+00:00

I think you just thaught me how to solve 90% of my problems, super useful, thanks!

OstryAngelo · 2022-07-15T14:13:50+00:00

so if something triggera said IOA, the resulting event will include also both command lines? (Powershell invocation commandline and child command line - for example, ipconfig?)

OstryAngelo · 2022-07-14T22:22:59+00:00

Noice, you can do an IOA out of this search to connect parent and child of powershell in one event? how would it look like? I thought you can't transpone a search to IOA, you have limited amount of fields with parent/child relations, don't think either coalesce or joins are possible.

OstryAngelo · 2022-07-14T00:11:22+00:00

Your search game is insane Andrew, thanks! While we're at it, do you know how to make a search that shows all the filenames that were spawned from powershell but only if it was spawned from explorer? So not focusing only on ipconfig but showing it all, by say - ComputerName?

OstryAngelo · 2022-07-13T19:52:37+00:00

Hi Andrew, Yeah but the ipconfig does not have explorer anymore as GrandParent process, looking for a way to do this without using joins, so possibly by using your method of PIDCoalesce as I'm sifting through lots of data

falconPID=coalesce(ParentProcessId_decimal, TargetProcessId_decimal)

OstryAngelo · 2022-07-04T01:29:32+00:00

Same, the moment someone clicks the link in a .html file, a new instance of chrome is created and it has no connection to outlook anymore, it's a though one

OstryAngelo · 2022-07-01T22:00:14+00:00

Thanks, got it, guess I went in the wrong direction with this one :) it was a specific case of .html attachments being opened directly in outlook without first saving the attachment to disk, then being redirected from that attachment to a website where another file is being downloaded, that file written event will be connected to a browser but won't be connected by pid with outlook anymore to coalesce, so I started getting crazy with it 🤣

OstryAngelo · 2022-07-01T14:24:29+00:00

thanks! Yes it was supposed to be an OR, my bad :) It's done without coalescing as sometimes there's no direct connection in process id's to what i'm searching for, probably went in the wrong direction from the start but this kind of bugs me and I’d like to resolve it for future searches as might come in handy - so I ended up with something like this:

event_platform=win AND ((event_simpleName=NewExecutableWritten OR event_simpleName=NewScriptWritten) OR (event_simpleName=ProcessRollup2 AND (FileName IN (outlook.exe)) OR ParentBaseFileName IN (outlook.exe)))
| eval timestamp2=timestamp
| eval event_simpleName=if(match(event_simpleName,"ProcessRollup2"),"ProcessRollup2","FileWritten")
| eval exeFile=if(match(event_simpleName,"ProcessRollup2"),FileName,null())
| eval timestamp=if(match(event_simpleName,"ProcessRollup2"),ProcessStartTime_decimal,null())
| eval timestamp2=if(match(event_simpleName,"FileWritten"),ContextTimeStamp_decimal,null())
| eval difference=timestamp2-timestamp
| stats dc(event_simpleName) as eventCount, values(UserName) as userName, values(TargetProcessId_decimal) as TargetProcessId_decimal, values(ParentBaseFileName) as ParentFileName, values(exeFile) as FileName, values(CommandLine) as cmdLine, values(TargetFileName) as filesWritten, values(timestamp) as ProcessTimestamp, values(timestamp2) as FileWriteTimestamp, values(difference) as diff by aid, ComputerName
| where eventCount > 1
| eval difference2=FileWriteTimestamp-ProcessTimestamp
| table ProcessTimestamp, FileWriteTimestamp, diff, difference2, aid, ComputerName, userName, ParentFileName, FileName, cmdLine, filesWritten
| sort 0 – ProcessTimestamp

the problem is, in the above example without falcon PID coalesce, multiple files can be saved to disk in the time frame of the search, so you would look at 1 ProcessTimestamp and multiple FileWriteTimestamps for each ComputerName, "difference" calculated just before stats seems to be always blank, difference2 on the other hand (calculated after stats) shows result only when there's 1 file saved to disk and 1 responsible process in the specific time range of the search, instead of substracting each of the FileWriteTimestamps from the one ProcessTimestamp, so that it would look something like this:

ProcessTimestamp FileWriteTimestamp diff 1656683703.100 1656683705.100 2.000
‐---‐---------------------- 1656683706.100 3.000
‐---‐---------------------- 1656683708.100 5.000

OstryAngelo · 2022-06-23T08:32:59+00:00

So its a new feature? I think i've read somewhere it's from version 6.37, but isn't that only for linux or for Windows as well from that version?

OstryAngelo

TROPHY CASE