Crowdstrike FDR

data_models/aws_vpcdns_data_model.yml

@@ -0,0 +1,13 @@
+AnalysisType: datamodel
+LogTypes: 
+  - AWS.VPCDns
+DataModelID: "Standard.AWS.VPCDns"
+DisplayName: "AWS VPC DNS"
+Enabled: true
+Mappings:
+  - Name: source_ip
+    Path: srcAddr
+  - Name: source_port
+    Path: srcPort
+  - Name: dns_query
+    Path: query_name

data_models/cisco_umbrella_data_model.py

@@ -0,0 +1,7 @@
+def get_dns_query(event):
+    # Strip trailing period.
+    # Domain Names from Cisco Umbrella end with a trailing period, such as google.com.
+    domain = event.get("domain")
+    if domain:
+        domain = domain.rstrip(".")
+    return domain

data_models/cisco_umbrella_data_model.yml

@@ -0,0 +1,14 @@
+AnalysisType: datamodel
+LogTypes: 
+  - CiscoUmbrella.DNS
+DataModelID: "Standard.CiscoUmbrella.DNS"
+DisplayName: "Cisco Umbrella DNS"
+Filename: cisco_umbrella_data_model.py
+Enabled: true
+Mappings:
+  - Name: source_ip
+    Path: internalIp
+  - Name: source_port
+    Path: srcPort
+  - Name: dns_query
+    Method: get_dns_query

data_models/crowdstrike_fdr_data_model.py

@@ -6,5 +6,16 @@ def get_dns_query(event):
     # Domain Names from Crowdstrike FDR end with a trailing period, such as google.com.
     domain = deep_get(event, "event", "DomainName", default=None)
     if domain:
-        domain = ".".join(domain.rstrip(".").split(".")[-2:]).lower()
+        domain = domain.rstrip(".").lower()
     return domain
+
+
+def get_process_name(event):
+    platform = event.get("event_platform")
+    # Extract process name from path
+    # Win = \Device\HarddiskVolume2\Windows\System32\winlogon.exe
+    # Lin = /usr/bin/run-parts
+    # Mac = /usr/libexec/xpcproxy
+    if platform == "Win":
+        return deep_get(event, "event", "ImageFileName").split("\\")[-1]
+    return deep_get(event, "event", "ImageFileName").split("/")[-1]

data_models/crowdstrike_fdr_data_model.yml

@@ -17,7 +17,7 @@ Mappings:
     - Name: dns_query
       Method: get_dns_query
     - Name: process_name
-      Path: $.event.ImageFileName
+      Method: get_process_name
     - Name: source_ip
       Path: $.event.LocalAddressIP4
     - Name: source_port

global_helpers/panther_base_helpers.py

@@ -228,6 +228,21 @@ def crowdstrike_detection_alert_context(event: dict):
     }
 
 
+def crowdstrike_process_alert_context(event: dict):
+    """Returns common process context for Crowdstrike detections"""
+    return {
+        "aid": get_crowdstrike_field(event, "aid", default=""),
+        "CommandLine": get_crowdstrike_field(event, "CommandLine", default=""),
+        "TargetProcessId": get_crowdstrike_field(event, "TargetProcessId", default=""),
+        "RawProcessId": get_crowdstrike_field(event, "RawProcessId", default=""),
+        "ParentBaseFileName": get_crowdstrike_field(event, "ParentBaseFileName", default=""),
+        "ParentProcessId": get_crowdstrike_field(event, "ParentProcessId", default=""),
+        "ImageFileName": get_crowdstrike_field(event, "ImageFileName", default=""),
+        "SHA256Hash": get_crowdstrike_field(event, "SHA256HashData", default=""),
+        "platform": get_crowdstrike_field(event, "event_platform", default=""),
+    }
+
+
 def crowdstrike_network_detection_alert_context(event: dict):
     """Returns common network context for Crowdstrike detections"""
     return {
@@ -410,3 +425,8 @@ def m365_alert_context(event):
         "application": event.get("Application", ""),
         "actor": event.get("Actor", []),
     }
+
+
+def defang_ioc(ioc):
+    """return defanged IOC from 1.1.1.1 to 1[.]1[.]1[.]1"""
+    return ioc.replace(".", "[.]")

rules/crowdstrike_rules/crowdstrike_base64_encoded_args.py

@@ -0,0 +1,39 @@
+import re
+
+from panther_base_helpers import crowdstrike_process_alert_context
+
+
+def rule(event):
+    # List of command line tools to monitor for execution with Base64 encoded arguments
+    command_line_tools = {
+        "powershell.exe",
+        "cmd.exe",
+        "cscript.exe",
+        "wscript.exe",
+        "rundll32.exe",
+    }
+
+    # Define a regular expression pattern to match Base64 encoded strings
+    base64_pattern = re.compile(r"[A-Za-z0-9+/]{10,}[=]{0,2}")
+
+    # Normalize the process name to lower case for comparison
+    process_name = event.udm("process_name").lower()
+    # Split process path from arguments
+    command_line_args = " ".join(event.udm("cmd").split(" ")[1:])
+
+    # Check if the process name matches any of the command line tools
+    # and if Base64 encoded arguments are present in the command line
+    if process_name in command_line_tools and base64_pattern.search(command_line_args):
+        return True
+    return False
+
+
+def title(event):
+    process_name = event.udm("process_name").lower()
+    command_line = event.udm("cmd").lower()
+
+    return f"Execution with base64 encoded args: {process_name} - {command_line} "
+
+
+def alert_context(event):
+    return crowdstrike_process_alert_context(event)

rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml

@@ -0,0 +1,200 @@
+AnalysisType: rule
+Filename: crowdstrike_base64_encoded_args.py
+RuleID: Crowdstrike.Base64EncodedArgs
+DisplayName: Execution of Command Line Tool with Base64 Encoded Arguments
+Enabled: true
+LogTypes:
+  - Crowdstrike.FDREvent
+Tags:
+  - Execution
+  - Obfuscation
+Severity: Medium
+Description: Detects the execution of common command line tools (e.g., PowerShell, cmd.exe) with Base64 encoded arguments, which could indicate an attempt to obfuscate malicious commands.
+Runbook: Investigate the endpoint for signs of command line tool execution with Base64 encoded arguments. Review the executed command, decode the Base64 string, and analyze the original content.
+Reference: N/A
+DedupPeriodMinutes: 60
+Tests:
+  -
+    Name: Command Line Tool Execution with Base64 Argument (Positive)
+    ExpectedResult: true
+    Log:
+      {
+        "ConfigBuild": "1007.3.0016606.11",
+        "ConfigStateHash": "3645117824",
+        "Entitlements": "15",
+        "TreeId": "4295752857",
+        "aid": "877761efa8db44d792ddc2redacted",
+        "aip": "1.1.1.1",
+        "cid": "cfe698690964434083fecdredacted",
+        "event": {
+          "AuthenticationId": "293628",
+          "AuthenticodeHashData": "98a4762f52a",
+          "CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EncodedCommand \"aGVsbG93b3JsZA==\"", 
+          "ConfigBuild": "1007.3.0016606.11",
+          "ConfigStateHash": "3645117824",
+          "EffectiveTransmissionClass": "2",
+          "Entitlements": "15",
+          "ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+          "ImageSubsystem": "3",
+          "IntegrityLevel": "12288",
+          "MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
+          "ParentAuthenticationId": "293628",
+          "ParentBaseFileName": "pwsh.exe",
+          "ParentProcessId": "4370948876",
+          "ProcessCreateFlags": "1024",
+          "ProcessEndTime": "",
+          "ProcessParameterFlags": "24577",
+          "ProcessStartTime": "1682368414.719",
+          "ProcessSxsFlags": "64",
+          "RawProcessId": "3120",
+          "SHA1HashData": "0000000000000000000000000000000000000000",
+          "SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
+          "SessionId": "2",
+          "SignInfoFlags": "8683538",
+          "SourceProcessId": "4370948876",
+          "SourceThreadId": "112532918543",
+          "Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
+          "TargetProcessId": "10413665481",
+          "TokenType": "1",
+          "TreeId": "4295752857",
+          "UserSid": "S-1-5-21-239183934-720705223-383019856-500",
+          "aid": "877761efa8db44d792ddc2redacted",
+          "aip": "1.1.1.1",
+          "cid": "cfe698690964434083fecdredacted",
+          "event_platform": "Win",
+          "event_simpleName": "ProcessRollup2",
+          "id": "b0c07877-f288-49f8-8cb3-150149a557b2",
+          "name": "ProcessRollup2V19",
+          "timestamp": "1682368416719"
+        },
+        "event_platform": "Win",
+        "event_simpleName": "ProcessRollup2",
+        "fdr_event_type": "ProcessRollup2",
+        "id": "b0c07877-f288-49f8-8cb3-150149a557b2",
+        "name": "ProcessRollup2V19",
+        "p_log_type": "Crowdstrike.FDREvent",
+        "timestamp": "2023-04-24 20:33:36.719"
+      }
+  -
+    Name: Command Line Tool Execution without Base64 Argument (Negative)
+    ExpectedResult: false
+    Log:
+      {
+        "ConfigBuild": "1007.3.0016606.11",
+        "ConfigStateHash": "3645117824",
+        "Entitlements": "15",
+        "TreeId": "4295752857",
+        "aid": "877761efa8db44d792ddc2redacted",
+        "aip": "1.1.1.1",
+        "cid": "cfe698690964434083fecdredacted",
+        "event": {
+          "AuthenticationId": "293628",
+          "AuthenticodeHashData": "98a4762f52a",
+          "CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WriteHost \"Hello World\"", 
+          "ConfigBuild": "1007.3.0016606.11",
+          "ConfigStateHash": "3645117824",
+          "EffectiveTransmissionClass": "2",
+          "Entitlements": "15",
+          "ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+          "ImageSubsystem": "3",
+          "IntegrityLevel": "12288",
+          "MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
+          "ParentAuthenticationId": "293628",
+          "ParentBaseFileName": "pwsh.exe",
+          "ParentProcessId": "4370948876",
+          "ProcessCreateFlags": "1024",
+          "ProcessEndTime": "",
+          "ProcessParameterFlags": "24577",
+          "ProcessStartTime": "1682368414.719",
+          "ProcessSxsFlags": "64",
+          "RawProcessId": "3120",
+          "SHA1HashData": "0000000000000000000000000000000000000000",
+          "SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
+          "SessionId": "2",
+          "SignInfoFlags": "8683538",
+          "SourceProcessId": "4370948876",
+          "SourceThreadId": "112532918543",
+          "Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
+          "TargetProcessId": "10413665481",
+          "TokenType": "1",
+          "TreeId": "4295752857",
+          "UserSid": "S-1-5-21-239183934-720705223-383019856-500",
+          "aid": "877761efa8db44d792ddc2redacted",
+          "aip": "1.1.1.1",
+          "cid": "cfe698690964434083fecdredacted",
+          "event_platform": "Win",
+          "event_simpleName": "ProcessRollup2",
+          "id": "b0c07877-f288-49f8-8cb3-150149a557b2",
+          "name": "ProcessRollup2V19",
+          "timestamp": "1682368416719"
+        },
+        "event_platform": "Win",
+        "event_simpleName": "ProcessRollup2",
+        "fdr_event_type": "ProcessRollup2",
+        "id": "b0c07877-f288-49f8-8cb3-150149a557b2",
+        "name": "ProcessRollup2V19",
+        "p_log_type": "Crowdstrike.FDREvent",
+        "timestamp": "2023-04-24 20:33:36.719"
+      }
+
+  -
+    Name: Mac - Git
+    ExpectedResult: false
+    Log:
+      {
+        "ConfigBuild": "1007.4.0016304.11",
+        "ConfigStateHash": "3521399940",
+        "Entitlements": "15",
+        "aid": "1ba46982062b43redacted",
+        "aip": "1.1.1.1",
+        "cid": "712bcd164963442ea43d5redacted",
+        "event": {
+          "CodeSigningFlags": "570503953",
+          "CommandLine": "/Applications/Sourcetree.app/Contents/Resources/git_local/bin/git --no-pager --EncodedString aGVsbG93b3JsZA==",
+          "ConfigBuild": "1007.4.0016304.11",
+          "ConfigStateHash": "3521399940",
+          "EffectiveTransmissionClass": "2",
+          "Entitlements": "15",
+          "GID": "20",
+          "ImageFileName": "/Applications/Sourcetree.app/Contents/Resources/git_local/bin/git",
+          "MD5HashData": "redacted",
+          "MachOSubType": "1",
+          "ParentBaseFileName": "Sourcetree",
+          "ParentProcessId": "466750419375415990",
+          "ProcessEndTime": "",
+          "ProcessGroupId": "468193711305251738",
+          "ProcessStartTime": "1675441378.504",
+          "RGID": "501",
+          "RUID": "501",
+          "RawProcessId": "30138",
+          "SHA1HashData": "0000000000000000000000000000000000000000",
+          "SHA256HashData": "f154d8e18001e2fb7ae36d1eca1e833ddac057dd946fbb76ee14121a5e293538",
+          "SVGID": "20",
+          "SVUID": "501",
+          "SessionProcessId": "466750413792797092",
+          "SigningId": "git",
+          "SourceProcessId": "466750419375415990",
+          "SourceThreadId": "0",
+          "Tags": "12094627905582, 12094627906234",
+          "TargetProcessId": "468193711305251738",
+          "UID": "501",
+          "aid": "1ba46982062b43redacted",
+          "aip": "1.1.1.1",
+          "cid": "712bcd164963442ea43d5redacted",
+          "event_platform": "Mac",
+          "event_simpleName": "ProcessRollup2",
+          "id": "21fd2f8b-de5f-4ab0-b188-4bbb8c80224d",
+          "name": "ProcessRollup2MacV7",
+          "timestamp": "1675441380830"
+        },
+        "event_platform": "Mac",
+        "event_simpleName": "ProcessRollup2",
+        "fdr_event_type": "ProcessRollup2",
+        "id": "21fd2f8b-de5f-4ab0-b188-4bbb8c80224d",
+        "name": "ProcessRollup2MacV7",
+        "p_any_ip_addresses": [
+          "1.1.1.1"
+        ],
+        "p_log_type": "Crowdstrike.FDREvent",
+        "timestamp": "2023-02-03 16:23:00.83"
+      }