Crowdstrike Random
Crowdstrike Randomly search in my work
The ProcessRollup2 event in CrowdStrike is one of the key telemetry events that provides detailed information about processes executed on an endpoint. This event belongs to the Process Execution data stream and is vital for detecting, investigating, and responding to potential threats or unusual behavior on endpoints.
Overview of ProcessRollup2
ProcessRollup2Purpose:
The
ProcessRollup2event is primarily used to provide information about process execution details.It enables security analysts to track what processes are being started, their relationships to other processes, and metadata about these processes.
Key Use Cases:
Threat Hunting: Identifying unusual or suspicious process activities.
Incident Response: Tracing back the chain of events during an investigation.
Forensic Analysis: Understanding how a specific threat propagated across the system.
Key Data Fields in ProcessRollup2
ProcessRollup2Below are some of the most important fields you will encounter in a ProcessRollup2 event:
Field Name
Description
event_simpleName
Indicates the event type; for this event, it will be ProcessRollup2.
aid
The unique identifier for the agent running on the endpoint where the event occurred.
timestamp
The exact time the process execution was observed.
parent_process_id
ID of the parent process that spawned the current process, allowing for process lineage tracking.
process_id
Unique identifier of the process being executed.
image_file_name
Name of the executable file (e.g., cmd.exe, powershell.exe).
command_line
Full command line string used to invoke the process, useful for detecting malicious parameters.
user_name
User context under which the process was executed.
hash
Cryptographic hash (SHA256, MD5, etc.) of the executed file, aiding in binary identification.
process_start_time
Time at which the process was started.
process_end_time
Time at which the process ended (if available).
exec_policy
Execution policy, indicating whether the process execution adhered to pre-configured security policies.
network_activity
Information about network connections made by the process, if applicable.
Understanding the Process Flow
Hierarchy of Processes:
Each process has a parent-child relationship. By using the
parent_process_idandprocess_idfields, you can visualize the process tree.Example:
explorer.exespawnscmd.exe, which then launchespowershell.exe.
Command Line Analysis:
Analyze the
command_linefield for:Suspicious arguments (e.g., obfuscated PowerShell commands).
Known indicators of compromise (IoCs) such as encoded scripts or direct connections to external servers.
Binary Identification:
Use the
hashfield to:Compare against known-good or known-malicious file hashes.
Validate file integrity and check for tampering.
Example 1: Retrieve All ProcessRollup2 Events from the Last 24 Hours
Goal:
Find all ProcessRollup2 events within the last 24 hours.
FQL Query:
Explanation:
event_simpleName:ProcessRollup2: Filters for events of typeProcessRollup2.@timestamp:>now-24h: Filters events that occurred in the last 24 hours.
Example 2: Detect Encoded PowerShell Commands
Goal:
Identify processes where PowerShell was executed with encoded commands.
FQL Query:
Explanation:
image_file_name:"powershell.exe": Searches for PowerShell executions.command_line:*EncodedCommand*: Matches processes with the termEncodedCommandin the command line, indicating possible obfuscation.
Example 3: Find Processes Spawned by a Specific Parent Process
Goal:
Search for processes spawned by explorer.exe.
FQL Query:
Explanation:
parent_image_file_name:"explorer.exe": Focuses on processes that haveexplorer.exeas the parent.
Example 4: Detect Rare Processes in the Environment
Goal:
Identify processes that are executed less than five times in the environment.
Approach:
Falcon’s search engine doesn’t provide direct aggregation in FQL, but this can be achieved by exporting the data for further analysis or visualizing it in Falcon dashboards.
FQL Query:
Steps:
Export the results.
Use tools like Excel, Python, or SIEM to group and count occurrences of
image_file_name.
Example 5: Search for Known Malicious Hashes
Goal:
Locate specific hashes of processes executed in the environment.
FQL Query:
Explanation:
hash:"d41d8cd98f00b204e9800998ecf8427e": Matches the specific hash of a binary.
Example 6: Correlate Process Execution with Network Connections
Goal:
Find processes that initiated external network connections.
While FQL doesn’t support direct joins between events, you can query separately for network events (NetworkConnection) and process events (ProcessRollup2) to analyze the correlation.
Process Query:
Network Query:
Steps:
Match results based on the
aid(Agent ID) and timestamps.Correlate findings in an external tool or script.
Example 7: Identify Processes Run by Non-Admin Users
Goal:
Locate processes executed by non-administrative users.
FQL Query:
Explanation:
NOT user_name:"Administrator": Excludes processes executed by the Administrator account.NOT user_name:"SYSTEM": Excludes processes executed under the SYSTEM account.
General Notes on Falcon Query Language (FQL)
Boolean Operators: Use
AND,OR,NOTfor combining conditions.Wildcards: Use
*for partial matches in strings (e.g.,image_file_name:*powershell*).Timestamp Filters: Use relative time (e.g.,
now-24h,now-7d) or absolute timestamps (2024-12-01T00:00:00Z).Event Filtering: The
event_simpleNamefield is essential to filter specific event types likeProcessRollup2.
Last updated