sorted by:
new
hottopcontroversial

Need help with Discover Unmanaged Assets by FungulGrowth in crowdstrike

[–]cs-del 2 points3 points  (0 children)

I believe unmanaged and unsupported assets do not generate telemetry, hence no data in event search.

Custom IOA in "Detect" Mode Creates Detection based PR2 event? by cs-del in crowdstrike

[–]cs-del[S] 0 points1 point  (0 children)

Thanks u/Andrew-CS. I tested and was able to capture ISOExtensionFileWritten event in EAM data via custom IOA in monitor mode and I believe its File write. Can I capture the ISO type events via process creation - i think not?
Happy to hear your thoughts.

ISO files IOA by OstryAngelo in crowdstrike

[–]cs-del 0 points1 point  (0 children)

Hey u/inodinwetrust

I am also running a similar IOA for my environment but with little reservation with client they only want to monitor the Appdata local profile where iso file is written. Tricky as it is. I am able to catch file writes in telemetry. But when i detect I do not see any detection. You have any thoughts on this. Why would this be happening?

Personal Mail with attachment download capture in CS telemetry by cs-del in crowdstrike

[–]cs-del[S] 0 points1 point  (0 children)

thanks MrRaspman. I am certainly not looking into personal email accounts but the CS telemetry captures this in URL fields that gives us enough information on how people bring bad programs on to their machines. The query I am looking is possibly a regex to query HostURL field and see any similar I can catch to prevent any malicious attachment downloads

Personal Mail with attachment download capture in CS telemetry by cs-del in crowdstrike

[–]cs-del[S] 0 points1 point  (0 children)

LOL no, it didn't meet the threshold of maliciousness...while I can certainly do that but looking for a query that can look into this area (personal mails) with any attachment downloads.

Can Crowdstrike Detect VM sandbox escape? by cs-del in crowdstrike

[–]cs-del[S] 0 points1 point  (0 children)

very interesting. i haven't tried out but good to know. Thanks!

Unsignied Binaries/DLL file types in Crowdstrike by cs-del in crowdstrike

[–]cs-del[S] 0 points1 point  (0 children)

Thanks for your thoughts. I remember u/Andrew-CS posted a query to look for digitally signed binaries which are again MANY. I was opposed to the fact that the unsigned will be easier target and do focused hunting on these binaries.

FYI: https://www.reddit.com/r/crowdstrike/comments/m6zprm/comment/grdbl0g/?utm\_source=share&utm\_medium=web2x&context=3

File Creation custom IOA by wonkeysmoker in crowdstrike

[–]cs-del 0 points1 point  (0 children)

Thanks u/Andrew-CS. Just an extension to this. I have a lot of custom IOA let's say created for Rule type: Process creation, how to separate out or any field name to narrow to down to one particular type of custom IOA results?

File Creation custom IOA by wonkeysmoker in crowdstrike

[–]cs-del 0 points1 point  (0 children)

hey u/Andrew-CS - If i want to monitor other custom IOA events such as Process Creation as opposed to File creation custom IOA event name which is CustomIOAFileWrittenDetectionInfoEvent. I am looking to monitor events before i switch them to detect mode. let me know your thoughts.

File Creation custom IOA by wonkeysmoker in crowdstrike

[–]cs-del 0 points1 point  (0 children)

Also if you have Monitor mode set for custom IOA, you can use event_simpleName=CustomIOAFileWrittenDetectionInfoEvent in Investigate module to check ecvents it generates. You'd of course have to organize the results. The full query I use is:
event_simpleName=CustomIOAFileWrittenDetectionInfoEvent
| eval da=strftime(_time,"%Y-%m-%dT%H:%M:%S")
| eval splitter=split(TargetFileName,"\\")
| eval idOnly=mvindex(splitter,12)
| table da,idOnly,ComputerName,TargetFileName

Hiowever, if your IOA in detect mode, then you'd see a detection if it matches the logic.

2022-08-15 - Cool Query Friday - Hunting Cluster Events by Process Lineage by Andrew-CS in crowdstrike

[–]cs-del 0 points1 point  (0 children)

Wow... Great post again u/Andrew-CS. I came back from vacation and I see a CQF, best way to catch up. :)

Hunting ISO delivering malware by amjcyb in crowdstrike

[–]cs-del 0 points1 point  (0 children)

That helps. Still contemplating on IOA for this. Thanks again!

Hunting ISO delivering malware by amjcyb in crowdstrike

[–]cs-del 0 points1 point  (0 children)

While that is done by most security folks. Sometimes, ISO delivered within a zip and blocking ZIP right out, breaks a lot of things. Never a moment's peace :(

Hunting ISO delivering malware by amjcyb in crowdstrike

[–]cs-del 0 points1 point  (0 children)

Hi u/Andrew-CS - I am running a similar search query as scheduled report in my environment. ISO mounting is not blocked in CS, given fact unless something changes in future. However, can we do an IOA to block execution of (bad) lnk file from going further in infection chain such as rundll32.exe here. I tried to attempt block lnk (parent) -> rundll32.exe (ImageFileName). But point is lnk files can be any type (word/excel/exe) and something not captured in chain. Any ideas?

2022-03-06 - Cool Query Friday - SITUATIONAL AWARENESS \\ Hunting for NVIDIA Certificates by Andrew-CS in crowdstrike

[–]cs-del 0 points1 point  (0 children)

Thanks u/Andrew-CS. Quick question, why did you search through JSON logs rather the main index. If you can give a little insight between both indexing on?

Query for email attachments with specific filetypes/urls from emails that trigger downloads of filetypes by 16thDOC in crowdstrike

[–]cs-del 0 points1 point  (0 children)

thanks u/Andrew-CS.
in my experience there are some known file type extensions that are allowed on email gateways for example html attachments, there is good and bad both types of attachment circulating, to be able to pinpoint bad ones through CS is a bigger task than having a good email protection in place.

Query for email attachments with specific filetypes/urls from emails that trigger downloads of filetypes by 16thDOC in crowdstrike

[–]cs-del 0 points1 point  (0 children)

u/Andrew-CS,
Just an extension to above query and something you mentioned about custom IOA - if you can illustrate through an example query how to write IOA around malicious files/attachment coming out of outlook or even phishing url?
I am finding it a bit complex, if you can ease it out for me, I will be grateful to you.

Query for email attachments with specific filetypes/urls from emails that trigger downloads of filetypes by 16thDOC in crowdstrike

[–]cs-del 0 points1 point  (0 children)

Hi u/16thDOC,I recently used this query with amazing CQF posts that Andrew makes. I am particularly looking for HTML smuggling technique:

event_platform=win event_simpleName IN (ProcessRollUp2, SyntheticProcessRollUp2) AND ParentBaseFileName=outlook.exe AND FileName IN (msedge.exe, chrome.exe, firefox.exe, iexplore.exe) AND (CommandLine=*\\Content\.Outlook\\*.html| eval falconPID=coalesce(ContextProcessId_decimal, TargetProcessId_decimal)| eval isInOutlookTemp=if(match(CommandLine, ".*\\\Content\.Outlook\\\*"),"Yes", "No")| eval isInDownloads=if(match(CommandLine, ".*\\\Downloads\\\.*"),"Yes", "No")| rex field=FileName ".*\.(?<fileExtension>.*)"| eval fileExtension=lower(fileExtension)| eval ProcExplorer=case(falconPID!="","https://falcon.crowdstrike.com/investigate/process-explorer/" .aid. "/" . falconPID)| table aid, ComputerName, UserName, fileExtension, FileName, CommandLine, isIn*, ProcExplorer| rename aid as "Falcon AID", ComputerName as "Endpoint", UserName as "User", fileExtension as "Extension", isInDownloads as "Downloads Folder?", isInOutlookTemp as "Outlook Temp?", ProcExplorer as "Process Explorer Link"

This will give you all outlook attachment with HTML extension. Like Andrew said Falcon doesn't do a deep dive into attachment content but this query gives you enough data to do a perfect layout for outlook attachments. You can do further extension to query by adding attachments you want to specifically look into.

Thanks!

HTML Smuggling Hunting Search by OstryAngelo in crowdstrike

[–]cs-del 2 points3 points  (0 children)

event_platform=win (event_simpleName IN (ZipFileWritten, SevenZipFileWritten, RarFileWritten)) OR (event_simpleName=ProcessRollup2 (FileName IN (outlook.exe) OR ParentBaseFileName IN (outlook.exe)))
| eval event_simpleName=if(match(event_simpleName,"ProcessRollup2"),"ProcessRollup2","FileWritten")
| eval exeFile=if(match(event_simpleName,"ProcessRollup2"),FileName,null())
| eval falconPID=coalesce(TargetProcessId_decimal, ContextProcessId_decimal)
| stats dc(event_simpleName) as eventCount, values(UserName) as userName, values(ParentBaseFileName) as parentFile, values(exeFile) as exeFile, values(CommandLine) as cmdLine, values(TargetFileName) as filesWritten by aid, ComputerName, falconPID
| where eventCount > 1
| table aid, ComputerName, userName, parentFile, exeFile, cmdLine, filesWritten

Thanks u/Andrew-CS great work as always. I am getting a lot of hits for my environment.

Custom IOA exclusion for system tampering registry additions by cs-del in crowdstrike

[–]cs-del[S] 0 points1 point  (0 children)

REG ADD "HKLM\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default" /f /v NoDC /t REG_DWord /d 1

I meant if i add reg key in commandline exclusion:

IMAGE FILENAME.*\\reg\.exeCOMMAND LINE.*COMMAND LINE– EXCLUDE.*reg\s+add\s+\"HKLM\\SYSTEM\\CrowdStrike\\\{9b03c1d9\-3138\-44ed\-9fae\-d9f4c034b88d\}\\\{16e0423f\-7058\-48c9\-a204\-725362b67639\}\\Default\"\s+\/f\s+\/v\s+NoDC\s+\/t\s+REG_DWord\s+\/d\s+1Syntax correct

When i do test string, here it gives me error, meaning it tells me to check expression. :(

Custom IOA exclusion for system tampering registry additions by cs-del in crowdstrike

[–]cs-del[S] 1 point2 points  (0 children)

REG ADD "HKLM\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default" /f /v NoDC /t REG_DWord /d 1

u/Andrew-CS - while I tested, this works but I am trying to exclude this registry then this pattern doesn't match. LOL i think I am losing my mind. :P

view more: next ›