Quick Navigation
MITRE ATT&CK Framework FundamentalsCrowdStrike Adversary Naming ConventionsCQL Syntax — Core Query PatternsCQL Event Types (event_simpleName)CQL Process Relationship FieldsCQL Timestamps and FormattingDetection Analysis WorkflowInvestigate Module — Search TypesReports and Reference DocumentationHunting MethodologyHunting Analytics — Behavioral ContextKey Platform Concepts for Hunters
MITRE ATT&CK Framework Fundamentals
- ATT&CK Tactic
- Represents the adversary's strategic GOAL — the WHY behind an action (e.g., Initial Access, Execution, Persistence, Lateral Movement, Exfiltration).
- ATT&CK Technique
- Represents HOW the adversary achieves a tactic — the specific method used (e.g., Spearphishing Link under Initial Access, PowerShell under Execution).
- ATT&CK Sub-technique
- A more specific variant of a technique, denoted with a dot suffix (e.g., T1059.001 = PowerShell is a sub-technique of T1059 Command and Scripting Interpreter).
- TTP (Tactic, Technique, Procedure)
- Procedure is the specific real-world implementation of a technique by a particular adversary group — the most granular level of ATT&CK.
- ATT&CK Matrix
- A grid where columns are Tactics (the goals) and cells within each column are Techniques (the methods). Adversaries can use techniques from any tactic in any order.
- Cyber Kill Chain vs ATT&CK
- Kill chain is LINEAR and sequential (7 phases). ATT&CK is a MATRIX where adversaries can combine techniques from any tactic at any time — they are not interchangeable models.
- Kill Chain Phases
- Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command and Control → Actions on Objectives (7 sequential phases).
CrowdStrike Adversary Naming Conventions
- BEAR
- Russian state-sponsored adversaries (e.g., FANCY BEAR, COZY BEAR). Nation-state actors with intelligence and disruption objectives.
- PANDA
- Chinese state-sponsored adversaries (e.g., GOBLIN PANDA, WICKED PANDA). Nation-state actors focused on espionage and IP theft.
- KITTEN
- Iranian state-sponsored adversaries (e.g., CHARMING KITTEN, PIONEER KITTEN). Nation-state actors with espionage and disruptive goals.
- SPIDER
- Financially motivated cybercriminal (eCrime) groups (e.g., CARBON SPIDER, VENOM SPIDER). NOT nation-state actors.
- CHOLLIMA
- North Korean state-sponsored adversaries (e.g., LABYRINTH CHOLLIMA). Associated with financially motivated state-directed operations.
- JACKAL
- Hacktivist adversaries. Motivated by ideology, not financial gain or state direction.
- LEOPARD / WOLF
- LEOPARD = Pakistan-linked adversaries. WOLF = Turkey-linked adversaries. Animal suffix always indicates motivation and origin.
CQL Syntax — Core Query Patterns
- #event_simpleName=ProcessRollup2
- Indexed TAG filter — uses pre-built indexes for dramatically faster performance than the non-indexed field filter event_simpleName=ProcessRollup2.
- #event_simpleName=DnsRequest AND DomainName=*evil*
- Combine tag filter with wildcard field filter using AND. Wildcards (*) enable substring matching but are slower than exact matches.
- #event_simpleName=ProcessRollup2 | groupBy([ComputerName, ImageFileName], function=count(), limit=10000)
- Aggregate results by grouping on multiple fields with a count function. Always include limit in groupBy to cap result size.
- ImageFileName=/\\powershell\.exe$/i
- Regex pattern matching using forward slashes. The /i flag makes the pattern case-insensitive.
- (#event_simpleName=ProcessRollup2 ImageFileName=*) OR (#event_simpleName=DnsRequest DomainName=*)
- Combine multiple event types using OR within parenthesized sub-queries — useful for cross-event correlation hunts.
- | collect([ImageFileName, CommandLine, UserName, DomainName])
- Collect multiple field values into arrays when grouping — useful for summarizing all values associated with a correlated group.
CQL Event Types (event_simpleName)
- ProcessRollup2
- Process CREATION events. Fields: ImageFileName, CommandLine, ParentBaseFileName, TargetProcessId, ParentProcessId, SHA256HashData, UserSid.
- DnsRequest
- DNS query events. Fields: DomainName, RequestType, ContextProcessId (the process that made the DNS query), InterfaceIndex.
- NetworkConnectIP4
- IPv4 network connection events. Fields: RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ContextProcessId, Protocol.
- UserLogon
- Authentication events. Fields: UserName, UserSid, LogonType, AuthenticationPackage, TargetDomainName, LogonServerDomainName.
- FileWritten
- File write events. Fields: TargetFileName, ContextProcessId, FileSize. Used to track dropped files, staged exfiltration data, and new scripts.
- RegKeyCreated / RegValueSet
- Registry modification events. Track persistence mechanisms like run keys, service entries, and COM hijacking via registry.
- ProcessTerminated
- Process end events. Complements ProcessRollup2 — used to calculate process runtime duration and detect short-lived processes.
CQL Process Relationship Fields
- TargetProcessId
- The numeric ID assigned to a process at creation time in ProcessRollup2 events. Used to link a process to its subsequent activity.
- ParentProcessId
- The process ID of the PARENT that spawned the current process. Correlate with another ProcessRollup2 TargetProcessId to trace genealogy.
- ContextProcessId
- The process responsible for generating the event in non-process event types (DnsRequest, NetworkConnectIP4, FileWritten). Links activity back to a process.
- ParentBaseFileName
- The executable name (no path) of the parent process. Use in ProcessRollup2 to filter for processes spawned by a specific parent (e.g., ParentBaseFileName=cmd.exe).
- Correlating Process to DNS Events
- Join ProcessRollup2 and DnsRequest using TargetProcessId (from process event) matching ContextProcessId (from DNS event) scoped to the same aid (agent ID).
- aid (Agent ID)
- Unique identifier for each Falcon sensor installation. Always scope correlation queries to the same aid to avoid cross-endpoint false matches.
CQL Timestamps and Formatting
- Unix Epoch Timestamp
- Number of SECONDS elapsed since January 1, 1970 00:00:00 UTC. Example: 1718640000 = approximately June 17, 2024.
- formatTime("%FT%T%z", field=timestamp)
- Convert a Unix epoch timestamp field to ISO 8601 human-readable format (e.g., 2024-06-17T00:00:00+0000).
- parseTimestamp("yyyy-MM-dd", field=dateField, as=epochField, timezone="UTC")
- Convert a human-readable date string to a Unix epoch value for use in time-based filtering.
- Seconds vs Milliseconds
- CrowdStrike Falcon event timestamps are in SECONDS since epoch, not milliseconds. When converting, do not divide by 1000.
- Tag Filter Performance Rule
- Always use #event_simpleName= (indexed tag filter) instead of event_simpleName= (field filter) — tag filters use pre-built indexes and are significantly faster.
- Query Optimization Order
- Apply indexed tag filters first, then narrow the time range, then add exact field matches, and use wildcards/regex last.
Detection Analysis Workflow
- Host Timeline
- Chronological view of ALL events on a specific endpoint: process executions, network connections, file writes, registry changes. Answers 'what happened on this host?'
- Process Tree
- Visual parent-child process chain for ONE specific process. Answers 'how did this process get here and what did it spawn?' Red nodes indicate where malicious behavior was detected.
- Host Timeline vs Process Tree
- Host timeline = BREADTH (all event types on one host). Process tree = DEPTH (full genealogy of one process chain). Different scopes, different purposes.
- Detection Severity Levels
- Informational, Low, Medium, High, Critical — assigned by CrowdStrike Intelligence based on threat analysis. Admins cannot manually change the severity level.
- Pivot Workflow
- Detection page → process tree (understand chain) → host timeline (all concurrent events) → Investigate module (cross-environment scope). Each pivot adds context.
- Suspicious Process Chain Example
- winword.exe spawning powershell.exe spawning cmd.exe is a high-confidence malicious indicator — document editors should not spawn scripting engines.
- Legitimate Tool Caution
- PowerShell, PsExec, WMI, and WMIC are dual-use tools — require contextual analysis (who, when, what command, from where) to determine if usage is malicious.
Investigate Module — Search Types
- User Search
- Find all activity associated with a specific user account ACROSS ALL endpoints — ideal for insider threat investigations and compromised account analysis.
- Host Search
- Find details and historical activity for a specific endpoint: sensor status, OS, applied policies, recent detections, and host-level metadata.
- Hash Lookup
- Search for a specific SHA256 hash across all endpoints to determine file prevalence, which hosts have the file, and associated process executions.
- IP Search
- Find all endpoints and processes that have communicated with a specific IP address — scope is environment-wide, not limited to one host.
- Domain Search
- Find all processes and hosts that made DNS queries to a specific domain across the entire environment. More comprehensive than IP search since a domain can resolve to multiple IPs.
- Hash Prevalence Logic
- LOW prevalence hash = more suspicious (rare in environment). HIGH prevalence hash = likely legitimate (common system file). Prevalence is a key triage signal.
- Investigate vs Event Search
- Investigate module provides pre-built point-and-click searches for specific entities. Event Search (CQL) provides custom flexible queries when pre-built searches are insufficient.
Reports and Reference Documentation
- Hunt Reports
- Pre-configured built-in reports summarizing THREATS FOUND — suspicious behaviors, anomalous activities, and potential threats identified during hunting operations.
- Visibility Reports
- Pre-configured built-in reports showing COVERAGE GAPS — sensor deployment status, data collection completeness, and endpoint visibility metrics.
- Hunt vs Visibility Reports
- Hunt = WHAT threats were found. Visibility = DO YOU have coverage to find threats. Review Visibility FIRST before starting a hunt to confirm data completeness.
- Events Full Reference
- CrowdStrike's comprehensive documentation listing all event_simpleName values, every available field, data types, and field descriptions. Use when unsure what fields an event type contains.
- Scheduled Reports
- Automated recurring report delivery (daily, weekly, monthly) for ongoing monitoring and compliance — do not replace manual hunting or custom event searches.
- Custom Dashboards
- User-created visualization panels built from CQL query results displayed as charts, tables, or graphs. Persist saved query results for ongoing monitoring.
Hunting Methodology
- Hypothesis-Driven Hunting
- Top-down approach: start with a theory about adversary behavior (from threat intelligence or known TTPs), then build CQL queries to prove or disprove the hypothesis.
- Outlier Analysis
- Bottom-up approach: start with data to find statistical anomalies — rare processes, unusual network connections, or behaviors deviating from baseline — with no prior hypothesis.
- Hypothesis vs Outlier
- Hypothesis-driven = THEORY first, then data. Outlier analysis = DATA first, then theory. Both are valid and testable on the CCFH exam.
- EAM (Endpoint Activity Monitoring)
- Falcon application providing real-time forensic visibility into endpoint activity. Used for hunting unique auto-start extension points (ASEPs) and proactive suspicious behavior detection.
- Hunt Documentation Elements
- Must include: initial hypothesis, all queries executed, data sources and timeframes analyzed, findings (positive AND negative), and recommended follow-up actions.
- Outlier Contextual Analysis
- Low-prevalence processes (1 of 5,000 endpoints) are suspicious signals, not automatic verdicts — verify file hash, path, parent process, and network connections before escalating.
- Threat Intelligence Integration
- Use adversary TTPs from intelligence reports to generate hunting hypotheses — correlate known IOCs, adversary tools, and trending attack techniques with environment telemetry.
Hunting Analytics — Behavioral Context
- Contextual Analysis Rule
- Evaluate WHO executed a tool, WHAT it did, WHEN it ran, and FROM WHERE — single indicators are rarely conclusive; analyze multiple indicators together.
- DevOps / CI-CD Disambiguation
- Configuration management tools (Ansible, Puppet, Chef) legitimately create scheduled tasks, modify registry, and spawn shells — verify with operations team before escalating.
- Baseline Comparison
- Know normal behavior for servers vs. workstations vs. domain controllers — each has different expected processes, network patterns, and administrative activity profiles.
- Off-Hours Execution Signal
- Processes running outside business hours with encoded commands and external downloads on production systems with no maintenance window = high-confidence suspicious indicator cluster.
- Information Reliability Evaluation
- High false-positive-rate findings become significant when they correlate with independent indicators of compromise — correlation strength drives investigative priority.
- Low Prevalence Caveat
- Low-prevalence does NOT automatically mean malicious — custom internal tools, bespoke scripts, and LOB applications may have low environment prevalence but be fully legitimate.
- IOA vs IOC
- IOA = behavioral/proactive — detects adversary TACTICS regardless of specific malware used. IOC = static/reactive — matches known artifacts (hashes, IPs, domains) after prior observation.
Key Platform Concepts for Hunters
- Falcon OverWatch
- CrowdStrike's 24/7 managed threat hunting SERVICE staffed by expert analysts — not a configurable product feature. Proactively hunts across all customer environments.
- Falcon LogScale (formerly Humio)
- CrowdStrike's index-free log management platform that powers CQL event search queries. Enables fast search across massive event volumes without traditional indexes.
- Real Time Response (RTR)
- Remote shell access to live endpoints for investigation and remediation — file retrieval, process termination, and script execution directly from the Falcon console.
- Falcon Adversary Intelligence
- CrowdStrike's threat intelligence service providing adversary profiles, campaign tracking, malware analysis, and vulnerability intelligence to inform hunting hypotheses.
- Threat Graph
- CrowdStrike's cloud-based graph database correlating trillions of security events per week to identify relationships between indicators, adversaries, and attack patterns.
- Falcon Sandbox
- Automated malware analysis environment that detonates suspicious files/URLs in isolation to observe behavior and extract indicators — used to supplement investigation.