Scribd
Upload
327 views

CrowdStrike User Guide

This document provides a basic guide to using the CrowdStrike tool for monitoring suspicious activity on devices within a bank. It describes how alerts are sent by email and investigated using information from CrowdStrike and VirusTotal. It also covers responding to alerts by blocking malicious files in CrowdStrike and remediating infected devices by reimaging them. False positives are common and can be identified by noticing repeated alerts for the same user, type, and file name.

Uploaded by

Jason Keys
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
327 views

CrowdStrike User Guide

This document provides a basic guide to using the CrowdStrike tool for monitoring suspicious activity on devices within a bank. It describes how alerts are sent by email and investigated using information from CrowdStrike and VirusTotal. It also covers responding to alerts by blocking malicious files in CrowdStrike and remediating infected devices by reimaging them. False positives are common and can be identified by noticing repeated alerts for the same user, type, and file name.

Uploaded by

Jason Keys
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

CrowdStrike User Guide

Written by: Nathaniel Wong

Last update: August 12 t h , 2016

Internal
Overview
CrowdStrike is a great tool for monitoring suspicious activity on devices throughout the bank. It gives us
the ability to investigate into devices and users. We currently have it running through our TRAP server
which can be checked under the "Events" tab in the TRAP website.

This guide is just basic instructions to using CrowdStrike. It is a very powerful tool and can do a lot more
than what is detailed in this guide.

Alerts
Alerts are sent out through TRAP by email for medium, high, and critical level severities. The emails are
assigned to an individual responder but will often be checked by multiple CSIRT members. To be added
to the CrowdStrike alert DL, ask John Kay or Jake Reid. If you have access to the TRAP Server, you can
open the CSUtil folder and open the CSUtil.exe config file and add your email to the code.

Investigation
There are multiple methods of investigating an alert.

CrowdStrike Detection
From the direct CrowdStrike link in the email alert, CrowdStrike shows a variety of useful information.

Internal
Process
Looking at the process tree, we can see what initial application activated the file of question. For
example, we can see that the cz617.exe file was executed from a Word document that was triggered by
an Outlook email.

Execution Details
Looking at the Command Line and File Path can be very helpful understanding what is going on.

AV Detections
Similar to VirusTotal, mentioned below, this tab is a good indicator if the suspect file is malicious.

Network Connections
Here you can see the external IP addresses that a file may have connected with.

DNS Lookups
Looking at the domains you can determine if any look suspicious.

CrowdStrike Investigate
The "Investigate" tool is extremely powerful. The account and hostname can be searched in the tool so
see the user's activity.

VirusTotal
https://www.virustotal.com/

Checking the file name/hash in VirusTotal is a good indicator to see if it is a common malware.

By searching the SHA256 of cz617.exe, it shows relation to a different file name that goes by
WinHost32.exe. VirusTotal shows 27/55 Antivirus softwares detect the file as malicious, big names
including Avira, Kaspersky, Malwarebytes, McAfee.

Internal
If there are multiple alerts for the same file, a CSIRT may be needed to investigate the root cause.

Respond
After determining a certain hash is malicious, a block can be added in CrowdStrike for all following cases.

Internal
Remediation
Once an alert has been determined to be malicious, a remediation ticket can be created on TRAP. This
will automatically send an email out to GSI to reimage the device. Simply fill out the form using the
details from the email alert and searching the user on Connections. Details can also be found from the
ARSUtil.

False Positives
Many of the CrowdStrike alerts will be False Positives. Many of which will be repeats of past
occurrences. Noticing the same user, alert type, and file name is a good way of confirming a previous
False Positive. For example, the following alert triggered by account PENB2 is very common.

Internal
Learning which are frequent False Positives, will come with time.

Internal

You might also like