CrowdStrike Falcon Search Engine is a malware search engine developed by CrowdStrike, based on their arguably largest threat database which receives 51 billion security events every day from its install base and with 700 million files indexed, to make a total of 560 TB of malwares, which can be searched in real-time.

Malware analysis is a crucial tool for staying ahead in the race against attackers. The tools and resource requirements for this research did not keep up with the hastily sprouting threat landscape. Existing tools are slow and will take a lot of manual effort to develop any effective results. The malware research capabilities of a Security Operations Center can be considerably sped up and improved by using Falcon MalQuery along with the Falcon Search Engine. The Falcon MalQuery serves as the malware search and intelligence component of the falcon search engine and has a colossal collection of malware samples that has been collected over the years and is indexed for quick search.

When the Falcon Search Engine is implemented in an organization, along with falcon Malquery, it will store the historical data of all the activities happening in individual systems. So even if a computer goes offline due to a malware infection, historical data can be fetched to determine the type of infection and even the details of the malicious program which will aid in the root cause analysis.

Search Interface

In the Investigate page, there are different tabs to search:

  1. Computer
  2. Source IP
  3. Hash
  4. User
  5. Bulk Hash
  6. Bulk Domain

 

Clicking on each tab will reveal the options available for search with their relevant search criteria.

C:\Users\Habshan\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Screenshot_7.png Investigate Page

For example, to do a hash search, you’ll have to click on the hash tab and enter the MD5 or the SHA256 data along with the time for the search.

C:\Users\Habshan\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Screenshot_2.pngHash Tab

The search results will contain all the details of the file which matches with the hash, which contains the filename, version, product, product version, description, etc

C:\Users\Habshan\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Screenshot_3.pngSearch Results

Along with the Module Load History and Process Execution History. The Module Load History contains the Unique file count, number of computers affected, on which computer the file was detected first and when it was detected, and the last time it was found being active. The process execution history contains the MD5 and SHA256 details, number of process executions, date of first execution, computer on which first execution was detected, and number of computers affected.

There is also a Detect History which shows the date on which the particular file was detected, scenario, a short description, severity, AVHits, computer affected, Username, file name, file path, etc.

The search also returns a Process Execution Timeline which shows a neat timeline based on the malicious file’s activity in the company network.

And lastly there is Antivirus Information available of the file.

The falcon search engine can display all the above information with a single search about a malicious file. This can be very convenient and aid in root cause analysis.