MD5 Hash algorithm for Crowdstrike
Closed this issue · 3 comments
mthcht commented
MD5 is only calculated on some events, i can see the following fields containing MD5 hashes:
behaviors{}.md5behaviors{}.parent_details.parent_md5event.MD5String(event streams logs)properties.MD5HashData(vertex_type=module)
it's a little part of the detections but it is partially logged.
for the behaviors{} detections for example, i can see the following behaviors detected with md5 hashes:
- A file appears to be imitating a standard OS or otherwise benign filename and/or launched from an unusual location. This might be to masquerade malware. Review the file.
- A file classified as Adware/PUP based on its SHA256 hash was written to the file-system.
- A file written to the file-system meets the File Analysis ML algorithm's high-confidence threshold for malware.
- A file written to the file-system meets the File Analysis ML algorithm's low-confidence threshold for malware.
- A file written to the file-system meets the File Analysis ML algorithm's lowest-confidence threshold for malware.
- A file written to the file-system meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.
- A file written to the file-system meets the machine learning-based on-sensor AV protection's medium confidence threshold for malicious files.
- A file written to the file-system surpassed a high-confidence adware detection threshold.
- A file written to the file-system surpassed a low-confidence adware detection threshold.
- A file written to the file-system surpassed a lowest-confidence adware detection threshold.
- A file written to the file-system surpassed a medium-confidence adware detection threshold.
- A module was loaded from an unusual path or with an unusual file name. Review the DLLs loaded by the process.
- A process appears to be tampering with the Falcon sensor configuration. If this is unexpected, it might be an adversary trying to disable the Falcon sensor. Review the process tree.
- A process associated with a known ransomware campaign launched. Investigate the host for signs of a ransomware attack.
- A process attempted to delete a Volume Shadow Snapshot.
- A process attempted to hide a Volume Shadow Snapshot.
- A process attempted to modify Falcon sensor auxiliary driver files. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
- A process attempted to modify Falcon sensor core driver files. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
- A process attempted to modify Falcon sensor installer related files. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
- A process attempted to modify Falcon sensor related service binaries. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
- A process attempted to modify a Falcon sensor folder. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
- A process attempted to modify a registry key or value used by Falcon sensor. This is indicative of an attempt to tamper with Falcon sensor. Investigate the registry operation and process tree.
- A process attempted to modify files used for Falcon sensor dynamic configuration. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
- A process attempted to modify injected libraries used by Falcon sensor. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
- A process attempted to uninstall the Falcon sensor in an unusual way. If this is unexpected, it might be an adversary trying to disable the Falcon sensor. Review the process tree.
- A process gathered information about the operating system or hardware. Adversaries can use this to identify system vulnerabilities. Review the process tree.
- A process launched that shares characteristics with mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate the process tree.
- A process loaded a module associated with known malware. Malware might have hijacked a benign process and loaded the malicious module to evade detection. Review the DLLs the process loaded.
- A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.
- A process monitored keystrokes using the SetWindowsHook API. Adversaries often use this to intercept passwords and other sensitive information. Review the process tree
- A script launched from a location associated with a remote administration tool (RAT). RATs often blend in with other benign applications and might be used by adversaries to remotely control the host. Review the script.
- A suspicious process appears to be issuing commands indicative of VM or Sandbox checks. If this activity is unexpected, review the process tree.
- A suspicious process launched that might be related to a malicious file. If this activity is unexpected, review the file.
- An IP Address matched a Custom Intelligence Indicator (Custom IOC) with critical severity.
- An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.
- An unexpected process ran svchost.exe. Adversaries can masquerade malware as a system process to evade detection. Review the executable.
- An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree.
- Detected and blocked a heap spray attempt, which was likely part of an attempted exploit.
- Mshta attempted to launch a likely malicious payload from a remote path. Review the command line.
- Rundll32 has likely been abused by malware to launch a malicious payload. While the rundll32 process is benign, the DLL file it's loading is likely malicious. Review the file loaded by rundll32.
- This file is classified as Adware/PUP based on its SHA256 hash.
- This file meets the Adware/PUP Anti-malware ML algorithm's low-confidence threshold.
- This file meets the Adware/PUP Anti-malware ML algorithm's lowest-confidence threshold.
- This file meets the Adware/PUP algorithm's high-confidence threshold.
- This file meets the Adware/PUP algorithm's lowest-confidence threshold.
- This file meets the Behavioral Analysis ML algorithm's lowest-confidence threshold for malware. It might be malicious and/or part of an adversary's toolkit. Review the file.
- This file meets the File Analysis ML algorithm's high-confidence threshold for malware.
- This file meets the File Analysis ML algorithm's lowest-confidence threshold for malware.
- This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.
- This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.
- This file meets the machine learning-based on-sensor AV protection's lowest-confidence threshold for malicious files.
- This file meets the machine learning-based on-sensor AV protection's medium confidence threshold for malicious files.
- This file written to disk meets the Behavioral Analysis ML algorithm's lowest-confidence threshold for malware. It might be malicious and/or part of an adversary's toolkit. Review the file.
- Your IOC management action for this SHA256 hash is set to detect and/or block
inodee commented
Hey @mthcht aren't some behaviors relying on a 'detection' to fire? Would they fit 'raw telemetry' concept?
I guess the main target event categories here are Process Activity and File Manipulation.
mthcht commented
Hey @mthcht aren't some behaviors relying on a 'detection' to fire? Would they fit 'raw telemetry' concept?
I guess the main target event categories here are Process Activity and File Manipulation.
they do not rely on an crowdstrike alert to be triggered, it's a raw telemetry, i see it is mentionned here also for other events #14 (should close this issue)