MD5 Hash algorithm for Crowdstrike

[mthcht]

MD5 is only calculated on some events, i can see the following fields containing MD5 hashes:

• behaviors{}.md5
• behaviors{}.parent_details.parent_md5
• event.MD5String (event streams logs)
• properties.MD5HashData (vertex_type=module)

it's a little part of the detections but it is partially logged.

for the behaviors{} detections for example, i can see the following behaviors detected with md5 hashes:

• A file appears to be imitating a standard OS or otherwise benign filename and/or launched from an unusual location. This might be to masquerade malware. Review the file.
• A file classified as Adware/PUP based on its SHA256 hash was written to the file-system.
• A file written to the file-system meets the File Analysis ML algorithm's high-confidence threshold for malware.
• A file written to the file-system meets the File Analysis ML algorithm's low-confidence threshold for malware.
• A file written to the file-system meets the File Analysis ML algorithm's lowest-confidence threshold for malware.
• A file written to the file-system meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.
• A file written to the file-system meets the machine learning-based on-sensor AV protection's medium confidence threshold for malicious files.
• A file written to the file-system surpassed a high-confidence adware detection threshold.
• A file written to the file-system surpassed a low-confidence adware detection threshold.
• A file written to the file-system surpassed a lowest-confidence adware detection threshold.
• A file written to the file-system surpassed a medium-confidence adware detection threshold.
• A module was loaded from an unusual path or with an unusual file name. Review the DLLs loaded by the process.
• A process appears to be tampering with the Falcon sensor configuration. If this is unexpected, it might be an adversary trying to disable the Falcon sensor. Review the process tree.
• A process associated with a known ransomware campaign launched. Investigate the host for signs of a ransomware attack.
• A process attempted to delete a Volume Shadow Snapshot.
• A process attempted to hide a Volume Shadow Snapshot.
• A process attempted to modify Falcon sensor auxiliary driver files. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to modify Falcon sensor core driver files. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to modify Falcon sensor installer related files. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to modify Falcon sensor related service binaries. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to modify a Falcon sensor folder. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to modify a registry key or value used by Falcon sensor. This is indicative of an attempt to tamper with Falcon sensor. Investigate the registry operation and process tree.
• A process attempted to modify files used for Falcon sensor dynamic configuration. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to modify injected libraries used by Falcon sensor. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to uninstall the Falcon sensor in an unusual way. If this is unexpected, it might be an adversary trying to disable the Falcon sensor. Review the process tree.
• A process gathered information about the operating system or hardware. Adversaries can use this to identify system vulnerabilities. Review the process tree.
• A process launched that shares characteristics with mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate the process tree.
• A process loaded a module associated with known malware. Malware might have hijacked a benign process and loaded the malicious module to evade detection. Review the DLLs the process loaded.
• A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.
• A process monitored keystrokes using the SetWindowsHook API. Adversaries often use this to intercept passwords and other sensitive information. Review the process tree
• A script launched from a location associated with a remote administration tool (RAT). RATs often blend in with other benign applications and might be used by adversaries to remotely control the host. Review the script.
• A suspicious process appears to be issuing commands indicative of VM or Sandbox checks. If this activity is unexpected, review the process tree.
• A suspicious process launched that might be related to a malicious file. If this activity is unexpected, review the file.
• An IP Address matched a Custom Intelligence Indicator (Custom IOC) with critical severity.
• An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.
• An unexpected process ran svchost.exe. Adversaries can masquerade malware as a system process to evade detection. Review the executable.
• An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree.
• Detected and blocked a heap spray attempt, which was likely part of an attempted exploit.
• Mshta attempted to launch a likely malicious payload from a remote path. Review the command line.
• Rundll32 has likely been abused by malware to launch a malicious payload. While the rundll32 process is benign, the DLL file it's loading is likely malicious. Review the file loaded by rundll32.
• This file is classified as Adware/PUP based on its SHA256 hash.
• This file meets the Adware/PUP Anti-malware ML algorithm's low-confidence threshold.
• This file meets the Adware/PUP Anti-malware ML algorithm's lowest-confidence threshold.
• This file meets the Adware/PUP algorithm's high-confidence threshold.
• This file meets the Adware/PUP algorithm's lowest-confidence threshold.
• This file meets the Behavioral Analysis ML algorithm's lowest-confidence threshold for malware. It might be malicious and/or part of an adversary's toolkit. Review the file.
• This file meets the File Analysis ML algorithm's high-confidence threshold for malware.
• This file meets the File Analysis ML algorithm's lowest-confidence threshold for malware.
• This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.
• This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.
• This file meets the machine learning-based on-sensor AV protection's lowest-confidence threshold for malicious files.
• This file meets the machine learning-based on-sensor AV protection's medium confidence threshold for malicious files.
• This file written to disk meets the Behavioral Analysis ML algorithm's lowest-confidence threshold for malware. It might be malicious and/or part of an adversary's toolkit. Review the file.
• Your IOC management action for this SHA256 hash is set to detect and/or block

[inodee]

Hey @mthcht aren't some behaviors relying on a 'detection' to fire? Would they fit 'raw telemetry' concept?

I guess the main target event categories here are Process Activity and File Manipulation.

[mthcht]

Hey @mthcht aren't some behaviors relying on a 'detection' to fire? Would they fit 'raw telemetry' concept?

I guess the main target event categories here are Process Activity and File Manipulation.

they do not rely on an crowdstrike alert to be triggered, it's a raw telemetry, i see it is mentionned here also for other events https://github.com/tsale/EDR-Telemetry/pull/14 (should close this issue)

[tsale]

I will be implementing the proposed change via PR #14. I'll close this issue. Thanks again @mthcht!