CCFR Study 2
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/264
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
265 Terms
Timelines are part of which Falcon page?
Investigate
Where can you find information about Detection and Prevention Policies?
In the Support page under Docs
A scheduled task being executed causes a detection. How is this revealed in the process tree?
The process tree begins with TASKENG.EXE
What are filters available in the drop down menu on the Detections page?
Command line, Status, Hash
Which detection type is NOT automated?
Falcon Overwatch
What are the different types of detections the Falcon Sensor use?
Automated, Manual, Custom
ProcessRollup2 refers to a(n) ____ field
event_simpleName
Within the MITRE Framework, what would Gain Access -> Initial Access -> Drive-by Compromise mean?
An adversary is trying to gain access by initial access using drive-by compromise
Which of the following is an example of a MITRE ATT&CK technique
Process Injection
During you investigation of a detection, you discover that the triggering file was launched from TASKENG.EXE. What does this mean?
The triggering file is part of a scheduled task being executed.
Which search is not available as a pivot from a detection?
User search
What type of events are shown in a Process Timeline?
All cloudable process-related events in a given timeframe
Which dashboard will show endpoints in RFM?
Executive Summary
How does a NetworkConnectIP4 event link to its responsible process?
Via its ContextProcessId_decimal field
What is an "Unmanaged Neighbor" found in Host search?
A local endpoint that does not have a sensor installed
What happens when a file is quarantined?
It is compressed, password protected, and moved to the Quarantine folder on the endpoint. It is also deleted after 30 days.
What does the "Objective" layer do as it relates to the MITRE ATT&CK Framework?
Groups related MITRE tactics together to make them easier to learn and remember.
What are the Objectives that exist in the Falcon UI?
Gain access, Keep access, Explore, Contact controlled systems, Follow through, Network-based effects
What MITRE tactics are covered by the Gain Access objective?
Initial Access, Credential Access, Privilege Escalation
What MITRE tactics are covered by the Keep access objective?
Persistence, Defense Evasion
What MITRE tactics are covered by the Explore objective?
Discovery, Lateral Movement
What MITRE tactics are covered by the Contact controlled systems objective?
Command and Control
What MITRE tactics are covered by the Follow through objective?
Collection, Exfiltration, Execution, Impact
What MITRE tactics are covered by the Network-based effects objective?
Network effects, Remote Service Effects
What does the "detection description" do as it relates to the MITRE ATT&CK Framework
Expands on the triggered technique/sub-technique by stating what triggered the detection, why it's a problem, and suggests how to start investigating.
What is the Falcon Detection Matrix (FDM)?
A matrix that describes detections which don't map directly to the MITRE ATT&CK matrix, but that Falcon is still able to detect and prevent. The FDM highlights behavior that CrowdStrike considers suspicious and malicious, therefore worthy of investigation.
What are the additional Tactics within the FDM
Malware, Exploit, Post-Exploit, Machine Learning, Falcon Overwatch, Falcon Intel, and Custom Intelligence
Define the "Malware" tactic of the FDM and name its sub-techniques
Broad category for all software intended to cause harm, and can be identified and prevented based on its hash or file. Includes: Known Hash, Destructive Malware, Malicious File, Adware, and PUP
Name the sub-techniques associated with the "Exploit" tactic of the FDM
Exploit Mitigation
Name the sub-techniques associated with the "Post-Exploit" tactic of the FDM
Malicious Tool Delivery, Malicious Tool Execution, Command-Line Interface
Define the "Machine Learning" tactic of the FDM and name its sub-techniques.
Detected by Falcon's next-gen antivirus/anti-malware solution, controlled by settings in Endpoint security -> Configure -> Prevention policies. Includes: Cloud-based ML, Sensor-based ML, Adware/PUP
Define the "Falcon Overwatch" tactic of the FDM and name its sub-techniques.
For OverWatch customers, our OverWatch team identified activity that they consider suspicious or malicious. These alerts are marked with a black falcon badge, and should always be investigated. Includes: Suspicious Activity, Malicious Activity, Malicious File.
Define the "Falcon Intel" tactic of the FDM and name its sub-techniques.
For Falcon Intelligence customers, indicates activity that matches known adversary behavior. Includes: Attributed to Adversary, Intelligence Indicator - Hash, Intelligence Indicator - Domain.
Define the "Custom Intelligence" tactic of the FDM and name its sub-techniques.
If the Query API is used to create a custom IOC, those detections are marked with this tactic. Includes: Indicator of Compromise, Indicator of Attack.
Name the sub-techniques associated with the "AI Powered IOA" tactic of the FDM
User Execution, Command and Scripting Interpreter, Reflective Code Loading, Malicious File
Explain what information the MITRE ATT&CK framework provides
Reflects the phase of an adversary's lifecycle, the platforms they are known to attack and specific methods they use. Used to understand an organization's security risk against a known adversary's behavior and help the organization plan for security improvement.
Explain what general information is on the Detections dashboard
Dashboards show counts, graphs, and trends about your Falcon environment, including detections, current CrowdScore, host info, actors and intelligence, etc. New detections, Overwatch info, Crowdscore over time, Recent detections with tactic, host, time, and a link to view them , Detections by tactics over time.
Explain what information is in the Activity > Detections page
Crowdscore shows the threat level to help analyst focus. Incidents are made of detections and their processes and connections, thread injections, and lateral movement.
Describe the different sources of detections within the Falcon platform
- Most detections are triggered based on the environments prevention policy settings, which also control which detected activities are prevented if you have Falcon Prevent.
- CrowdStrike aligns with MITRE's Adversarial Tactics, Techniques, and Common Knowledge matrix to label detections.
Interpret the data contained in Host Search results
Available information:
- Name, MAC, AIP, host management items
- BIOS
- Detect history
- Unresolved detections
- Managed/unmanaged neighbors
- User logon activity
- Processes/Services
- Command line
- Suspicious file activity
- Registry, tasks, firewall
- Networking.
Demonstrate how to pivot from a detection to a Process Timeline
- Investigate > Timelines > Processes
- View all events associated with any user-specified process execution
- Filter by target process id or parent process id
- All cloud-able process-related events in a given timeframe
Explain what contextual event data is available in a detection
- Detection time
- Host name
- Username
- Action taken, severity, objective, tactic, technique, technique ID
- Grouping tags
- Process ID
- Command line
- Filepath
- Hash
- Global/local prevalance
- IOC management action
- Run period
- Duration
- File signature details and common name, and first seen time
- Quarantine file info
- User logon details - type, logon time, logon server, logon domain
- Host details - hostname, os, platform, host type OS, sensor version, host ID, local and public IP, mac address
- AV detections
- Network operations
- Disk operations
- DNS requests
- Registry operations
- Process operations
Explain how detection filtering and grouping might be used
1. Start on the Endpoint Detections page (Endpoint security > Monitor > Endpoint Detections)
2. Filter down to just the detections you want to see, either by using the popular filter fields displayed at the top or by using the "Type to filter" bar to search on the fields you want to filter on. You may add multiple filters.
3. Organize the filtered list with the "Grouped by" and "Sort by" dropdown menus to bulk investigate similar detections.
4. Detections can be grouped by: Host, Grouping Tags, Objectvie, Tactic, Technique, Technique ID, IOA Name, Severity, Hash, Command Line, Triggering File.
5. Detections can be sorted by: Newest Detect Time, Oldest Detect Time, Last Update
Explain when to use built-in OSINT tools
- When external OSINT tools do not provide enough/any information to determine if a detection is a TP/FP
- Utilizing tools such as IntelX, VT, Hybrid Analysis during the triage stage
Explain what Prevalence is as it relates to the binary hash of executables within detections
For every detection there is a Local and Global Prevalence:
- Unique: Very minimal if not only instance of the hash being seen in the environment
- Common: Binary hash seen across multiple hosts, multiple times within the environment
- Low: Binary hash seen on a small number of hosts or customer environments.
Explain the difference between Global vs Local Prevalence
- Local Prevalence: Determines whether a binary is common amongst the current Falcon Environment (current CID)
- Global Prevalence: Determines whether a binary is common amongst all Falcon Environments (across all CIDs)
Explain what Full Detection Details will provide
- Can change process views
- Can select 'View as Process Tree' 'View as Process Table' or 'View as Process Activity' to se different representations of the activities that make up the detection
- Can assign detections and update the status of the detection
- Investigate and take action on a detection
- Connect to the host
- Network contain the host
- Add comments
- Access the message center
- View execution details (detect time, hostname, severity, etc.)
- View Machine Learning Exclusions
- View comments or log entries
- See file details: Signed (Y/N), First seen, SHA hash, Common name
- Quarantined files
- User details: Username, Logon type/time/server/domain
- Host details: Hostname, Platform, Host type, OS, Sensor version, Host ID/AID, IP, Local IP, MAC address
- Vulnerabilities on a host
- AV detections
- Related intel
- Network operations
- Disk operations
- DNS requests
- Registry operations
- Process operations
Explain how to get to Full Detection Details
Button the fork on the right
Explain the methodology for analyzing process relationships using the information contained in the Full Detection Details page
- Use the process tree to visualize which processes executed surrounding the detection
- Check execution details to understand the more granular details such as: Detect time, host, host type, username, severity, objective, tactic, technique id, IOA name, IOA description, Tags, PID, Command Line, File path, Run period
What type of data does the "View As Process Tree" view provide
The main process tree; shows the parent and child processes with expandable buttons. Clicking on each object on the tree reveals more details in the right pane.
What type of data does the "View As Process Tree" view provide
Similar to the process tree but more information on the screen at once, contains the file path, SHA Hash, Command line, user name, and start/end time for each entry without clicking
What type of data does the "View As Process Activity" view provide
Very verbose output of every process action, such as event type, time, process and name, and hash (ex: module load, network close, script written). Selectable of what can be seen in the table.
Explain how to identify managed/unmanaged neighbors for an endpoint during a host search
Under the host search page scroll down to the table for it? What kind of question is this
What is the purpose of assigning a detection to an analyst?
Primarily auditing purposes. It creates a paper trail of who worked a detection at what time, etc.
Describe what the different policies (Block, Block and Hide, Detection, Detect Only, Allow, No Action) do
- Block: Add indicator to blocklist and show detection
- Block and Hide Detection: Blocklist and hide it from detections, you can still see this activity in investigate.
- Detect Only: Show the indicator as a detection and take no further action
- No Action: Save the indicator for future use but take no action
- Allow: Allow the indicator and do not detect on it.
Explain the allowlisting and blocklisting
Allowlisting is the process of permitting a binary to run unhindered within a target environment. Blocklisting applies to ML detections and included hash-based detections. It takes precedence over global allowlisting except in the case of critical system processes.
What is Hash Allowlisting? Name its use cases
Using the binary's hash to prevent machine learning detections from triggering on that specific file. Use cases are when the file is not anticipated to change, useful if the file is executing from different locations in the cx environment.
What are Machine Learning Exclusions? Name their use cases
Using a file path to reduce the ML detections and preventions the Falcon sensor takes, or to stop file uploads to the CS cloud. Use cases are when the file is consistently executing from the same file path and it is expected to change or carry (like in dev environments).
What are Sensor Visibility Exclusions? Name their use cases
Stops sensor collection for the configured paths, to be used with caution. Use cases are t blind the sensor to the file path specified; only to be used if there is significant performance issue and after discussing with a peer.
What are IOA Exclusions? Name their use cases
Permits executions based on the detections pattern ID. Use cases are to use for any detction other than sensor/cloud ML and Adware/PUP algorithms; effective for LOLBIN related detections.
Explain the effects of machine learning exclusion rules
- To be used on a trusted file path
- Minimal sensor data is collected at the path specified
- Glob syntax is used to define the path
- Can be applied to all hosts or a group of hosts
- Can only create one pattern at a time.
- MLEs can be created directly from a detection.
- Hash or domain/IP addresses can be created from IOC Management
Explain the effects of Sensor Visibility exclusions
- Stops all sensor event collection for the path
- Reserved for improving host performance
- Uses Glob syntax
- For best practice: Narrow your scope to a specific path. Do not specify them for built-in OS directories.
Explain the effects of IOA exclusions
- Detections and preventions triggered by custom IOA rules appear in the Activity app. They are distinguished by the Tactic and Technique of Custom Intelligence via Indicator of Attack.
- In the Execution Details of a custom IOA detection, the Custom IOA Rule field provides a link to the rule that triggered the detection.
- Four events associated with the 4 rule types:
CustomIOABasicProcessDetectionInfoEvent (Process Creation),CustomIOAFileWrittenDetectionInfoEvent (File Creation),CustomIOANetworkConnectionDetectionInfoEvent (Network Connection),CustomIOADomainNameDetectionInfoEvent (Domain Name)
- As a detection, a custom IOA provides visibility into undesirable behaviors. With the addition of a Kill or Block action, a custom IOA can stop or prevent specific behavior.
- Individual custom IOA rules use a supported subset of regular expressions syntax to dictate what activity will trigger a custom IOA detection and whether or not the activity will also be blocked or killed.
State the retention period for quarantined files and what happens when a file is quarantined
- 30 days on the host, 90 days in the CS cloud if uploaded.
- It is compressed, password protected, moved to quarantine folder on the endpoint. It is then deleted after 30 days.
- Path on Windows: \Windows\System32\Drivers\CrowdStrike\Quarantine
- Path on Mac: /Library/Application Support/CrowdStrike/Falcon/Quarantine
Describe what happens when a file is released from quarantine
- It is added back to the same location on the host.
- It will allowlist the file to run only on the host where it is released.
- It can be re-quarantined, but you will not be able to re-release it after.
How do you download a quarantined file?
From the quarantined file page, it is downloaded as a zip file protected with the password "infected"
Based on a detection, determine which investigate tools, e.g., host, hash, etc., to use based on best practices
- Whenever possible we start with a hash search, if that is not available then we will pivot on other IOC's/IOA's such as IP addresses, Domains reached out to, or using dynamic/static analysis.
Describe how to perform an event search from a detection and refine a search using event actions
- From detection click on the spyglass > event search
- Refine by using filters accepted by splunk.
Explain what event actions do
Event actions enable the use of Event Workflows. Event workflows are automated searches that can be used to pivot between related events and searches. Every event has a workflow, Workflows enable you to quickly and easily run pre-made queries on search results meaning you can run searches without writing any splunk queries.
Name some examples of event actions
Connect to host, Draw PREX, Pivot-Host Search, View Process Explorer for the Responsible Process, +/- 10 minute window search, etc.
Define the DnsRequest event type
A process issued a DNS request
Define the NetworkConnectIP4 event type
A process established a network connection
Define the NetworkListenIP4 event type
A process wrote a new script to disk
Define the PeFileWritten event type
A process wrote a PE file to disk
Define the ProcessBlocked event type
Process creation was blocked by the sensor
Define the ProcessRollup2 event type
A new process was created
What is the Timestamp field on events?
Timestamp when the event was received by the CrowdStrike cloud
What is a Host Timeline? How do you access it?
All cloud-able events for a given host. Accessed via Investigate -> Timelines -> Hosts
How do you access the User search? What information does it show?
Investigate -> Timelines -> Users. Contains detection information related to the user, logon activity, process executions, admin tool usage, and files written by them.
What does a Process Timeline allow you to view?
Allows you to view all relevant events associated with any user-specified process execution
What filters exist for a Process Timeline?
- AID
- Target Process ID
- Parent Process ID
- Event Types
- Company
- Time Range
What data is provided when a search is conducted through the Process Timeline?
- Host info: Contains Host attributes pulled from relevant events.
- Process Info: Contains relevant data towards the File Executables that generated Processes (Time (UTC), FileName, FilePath, CommandLine, SHA256).
- Process Timeline: A visual timeline of the types of processes that executed
- Event Details: Contains 'Process Info' in addition to Process IDs (Parent, Target, Process, Local)
What information is needed to produce a process timeline?
AID, Target Process ID, Parent Process ID.
What does the the Host Timeline do?
Shows all relevant events for a specific computer
What filters exist for Host Timelines?
- Host Name
- AID
- Event Types
- Company
- Time Range
What information is provided by the Host Timeline?
- Host info: Contains host attributes pulled from relevant events
- Timeline: Contains relevant event details towards Files Loaded/Executed on the selected Host.
Describe the "TargetProcessId_decimal" field
Every ProcessRollup2 event contains this field. It is generated internally by the sensor and will be unique for every instance of a process.
Describe the "ContextProcessId_decimal" field
Every ProcessRollup2 event contains this field. This field matches the TargetProcessId_decimal of its parent ProcessRollup2 event. This helps relate the parent and children processes.
Describe the "ParentProcessId_decimal" field.
For every new process that is generated on a host, a new ProcessRollup2 event is generated. When one process spawns another process, the new event will contain a field called "ParentProcessId_decimal". The "ParentProcessId_decimal" of the child PR2 will match the TargetProcessId_decimal of the parent PR2.
How would you retrieve the information required to generate a Process Timeline?
Go to EAM to get the process ID and the AID/hostname
Describe how you would generate a PREX from an event in Event Search.
Event actions > click "Draw Process Explorer"
What options exist to export process data from Falcon for further review within the Full Detection Details page?
- On process tree view you can export a .PNG of the tree
- On process table view you can export the table in csv or json
- In process activity you can export all of the data in csv or json format
- You can copy the detection details from the top right
Explain what information is in the Detection Activity Report and where to locate it within the Falcon UI.
- Investigate -> Hunt: Detection Activity
FILL IN SINCE STUDY GUIDE SUCKS
Describe what information is in the Executive Summary Dashboard
- Active/total/average number of sensors
- Sensors by OS
- Sensors that have been inactive for more than 14 days
- POD sensors
- Inactive POD sensors
- Workstations, Servers, DCs, and mobile hosts
- Sensors with duplicate AIDs
- Windows, Mac, and Linux sensors in RFM
- Detections by objective, tactic, and severity
- Top 10 hosts/users/files with most detections
Describe what information is in the detection resolution Dashboard
- Detections by current status
- True positive, unresolved, false positive/ignored grouped by objective/tactic/severity
- Detection resolution activities by Falcon user.
- Top 100 detections resolution.
What is User Search used for? What information does it provide?
It is used to search for user activity across all hosts in the environment. The results are automatically filtered of common SIDs and user sessions that are not interactive or service accounts. Searchable user activity includes: Logon activities and detection history for 30 days, unresolved detects for the last 7 days, process executions, admin tool usage, and files written.
What information does an IP search provide?
Ip search summary: Source IP, Destination IP, External IP, hostname, Number of hosts, First connection date, Last connection
Host info: Source IP, Mac, Hostname, Last seen, Device type, Version, Agent version, Manufacturer, Model, OU, Domain, Sitename, Country, timezone
Processes that connected to specified IPs: time, Source IP, Dest IP, hostname, username, parent process ID, PID, process ID, filename, hash
What information does a Hash Execution Search provide?
Hosts that loaded/executed the hash: Md5 value, hostname, filename, count, first seen date, last seen date, AID, contain host pivot
Module load/execution history: Filename, md5, count, number of hosts, first seen on, first seen date, last seen on, last seen date
When should you use a Hash search?
To search for events by hash across all hosts in your environment.
What kinds of file types work best for a hash search?
Binary files such as executables and DLLs.