Skip to main content

CrowdStrike Malquery

This Integration is part of the CrowdStrike Malquery Pack.#

Use the MalQuery Integration to query the contents of clean and malicious binary files, which forms part of Falcon's search engine. This integration was integrated and tested with version 1.0 of CrowdStrikeMalquery

Configure CrowdStrikeMalquery in Cortex#

ParameterDescriptionRequired
base_urlServer URL (e.g. https://example.net\)True
client_idClient IDTrue
client_secretClient SecretTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cs-malquery-exact-search#


Searches Falcon MalQuery for a combination of hex patterns and strings to identify malware samples based upon file content, which returns a request ID. Use the request ID in the cs-malquery-get-request command to retrieve results. You can filter results based on criteria such as file type, file size and first seen date.

Base Command#

cs-malquery-exact-search

Input#

Argument NameDescriptionRequired
hexThe hex pattern to search. For example, deadbeef0102 (for bytes de, ad, be, ef, 01, 02).Optional
asciiThe ASCII pattern to search. For example, CrowdStrike.Optional
wideThe wide string pattern to search. For example, CrowdStrike.Optional
limitThe maximum number of results to be returned. Default is 100.Optional
max_sizeThe maximum file size. The value can be specified either in bytes or in multiples of KB/MB/GB. For example, 128000, 1.3 KB, 8mb.Optional
min_sizeThe minimum file size. The value can be specified either in bytes or in multiples of KB/MB/GB. For example, 128000, 1.3 KB, 8mb.Optional
max_dateLimits results to files first seen before this date. The format is YYYY/MM/DD. For example, 2018/01/31.Optional
min_dateLimits results to files first seen after this date. The format is YYYY/MM/DD. For example, 2018/01/31.Optional
filter_filetypesLimits results to certain file types such as EMAIL, PCAP, PDF, PE32. Comma separated values. For a full list of file types, see the MalQuery API documentation.Optional
filter_metaSpecifies a subset of metadata fields to return in the results. Possible values - sha256, md5, type, size, first_seen, label, family. Comma separated values.Optional

Context Output#

PathTypeDescription
Malquery.Request_IDStringThe request ID.

Command Example#

!cs-malquery-exact-search hex=8948208b480833ca33f989502489482889782c8bd7 filter_meta=sha256,type,size limit=5

Context Example#

{
"Malquery": {
"Request_ID": "08942ddd-373e-493d-54f9-f6e495174913"
}
}

Human Readable Output#

Search Result#

Request_ID
08942ddd-373e-493d-54f9-f6e495174913

cs-malquery-hunt#


Schedules a YARA rule-based search for execution, which returns a request ID. Use the request ID in the cs-malquery-get-request command to retrieve results. You can filter based on criteria such as file type, file size and first seen date.

Base Command#

cs-malquery-hunt

Input#

Argument NameDescriptionRequired
yara_ruleThe YARA rule to search.Optional
yar_file_entry_idA YAR file entry ID that contains the YARA rule to search. Only one Yara rule per request.Optional
limitThe maximum number of results to be returned.Optional
max_sizeThe maximum file size. The value can be specified either in bytes or in multiples of KB/MB/GB. For example, 128000, 1.3 KB, 8mb.Optional
min_sizeThe minimum file size. For example, 128000, 1.3 KB, 8mb.Optional
max_dateLimits results to files first seen before this date. The format is YYYY/MM/DD. For example, 2018/01/31.Optional
min_dateLimits results to files first seen after this date. The format is YYYY/MM/DD. For example, 2018/01/31.Optional
filter_filetypesLimits results to files of certain types such as EMAIL, PCAP, PDF, PE32. Comma separated values. For a full list of types, see the MalQuery API documentation.Optional
filter_metaSpecifies a subset of metadata fields to return in the results. Possible values - sha256, md5, type, size, first_seen, label, family. Comma separated values.Optional

Context Output#

PathTypeDescription
Malquery.Request_IDStringThe request ID.

Command Example#

!cs-malquery-hunt file_type=PE32 filter_meta=sha256,type,size limit=5 yara_rule="rule CrowdStrike_16142_01 : wiper { strings: $ = { 41 61 43 63 64 44 65 46 66 47 68 69 4B 4C 6C 4D 6D 6E 4E 6F 4F 70 50 72 52 73 53 54 74 55 75 56 76 77 57 78 79 5A 7A 33 32 2E 5C 45 62 67 6A 48 49 20 5F 59 51 42 3A 22 2F 40 } condition: all of them and filesize < 800KB }"

Context Example#

{
"Malquery": {
"Request_ID": "503efffd-2d44-4566-7794-8de45568cbbf"
}
}

Human Readable Output#

Search Result#

Request_ID
503efffd-2d44-4566-7794-8de45568cbbf

cs-malquery-fuzzy-search#


Searches Falcon MalQuery quickly. Uses partial matching, but with more potential for false positives. Search for a combination of hex patterns and strings to identify samples based upon file content.

Base Command#

cs-malquery-fuzzy-search

Input#

Argument NameDescriptionRequired
hexThe hex pattern to search. For example, deadbeef0102 (for bytes de, ad, be, ef, 01, 02).Optional
asciiThe ASCII pattern to search. For example, CrowdStrike.Optional
wideThe wide string pattern to search. For example, CrowdStrike.Optional
limitThe maximum number of results to be returned. Default is 100.Optional
filter_metaSpecifies a subset of metadata fields to return in the results. Possible values - sha256, md5, type, size, first_seen, label, family. Comma separated values.Optional

Context Output#

PathTypeDescription
Malquery.File.familyStringThe malware family of the file. For example, StoneDrill.
Malquery.File.filesizeStringThe size of the file.
Malquery.File.filetypeStringThe type of the file.
Malquery.File.first_seenStringThe date when the file was first seen.
Malquery.File.labelStringThe label of the file. For example, Malware.
Malquery.File.md5StringThe MD5 of the file.
Malquery.File.sha1StringThe SHA1 of the file.
Malquery.File.sha256StringThe SHA256 of the file.

Command Example#

!cs-malquery-fuzzy-search hex=8948208b480833ca33f989502489482889782c8bd7 filter_meta=sha256,type,size limit=5

Context Example#

{
"Malquery": {
"File": [
{
"filesize": 310552,
"filetype": "PE32",
"sha256": "e51f0a8884eb08fc43da0501ebd3776831e2fd4b0a8dd12e69866a8febe41495"
},
{
"filesize": 1672180,
"filetype": "PE32",
"sha256": "bc74f8fc37b902536b52c1157b74724edc96a586b0e3e38717dd845981443a5b"
},
{
"filesize": 1672188,
"filetype": "PE32",
"sha256": "72b021085f62e5dc1335f878a2751bce68d95918c84215ec8dfebf491009ea09"
},
{
"filesize": 279624,
"filetype": "PE32",
"sha256": "5e2e1735e10684b36d30b3a3362e66cd30fb493afac8e711d92bde8372b9b6d0"
},
{
"filesize": 19055104,
"filetype": "PE32",
"sha256": "d5023cd464d7578506770338e0fc43bd64887dbf234785b4d8f8547e57efa33d"
}
]
}
}

Human Readable Output#

Fuzzy Search Result#

filesizefiletypesha256
310552PE32e51f0a8884eb08fc43da0501ebd3776831e2fd4b0a8dd12e69866a8febe41495
1672180PE32bc74f8fc37b902536b52c1157b74724edc96a586b0e3e38717dd845981443a5b
1672188PE3272b021085f62e5dc1335f878a2751bce68d95918c84215ec8dfebf491009ea09
279624PE325e2e1735e10684b36d30b3a3362e66cd30fb493afac8e711d92bde8372b9b6d0
19055104PE32d5023cd464d7578506770338e0fc43bd64887dbf234785b4d8f8547e57efa33d

cs-malquery-get-request#


Checks the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request ID.

Base Command#

cs-malquery-get-request

Input#

Argument NameDescriptionRequired
request_idThe identifier of a MalQuery request.Required

Context Output#

PathTypeDescription
Malquery.Request_IDStringThe request ID.
Malquery.StatusStringThe status of the request.
Malquery.File.familyStringThe malware family of the file. For example, StoneDrill.
Malquery.File.filesizeStringThe size of the file.
Malquery.File.filetypeStringThe type of the file. For example, PE32.
Malquery.File.first_seenStringThe date when the file was first seen.
Malquery.File.labelStringThe label of the file. For example, malware.
Malquery.File.md5StringThe file MD5.
Malquery.File.sha1StringThe file SHA1.
Malquery.File.sha256StringThe file SHA256.

Command Example#

!cs-malquery-get-request request_id=096f6aa5-f245-4b09-790f-133bc89d4d26

Context Example#

{
"Malquery": {
"File": [
{
"filesize": 151552,
"filetype": "PE32",
"first_seen": "2020/06/09",
"label": "unknown",
"md5": "0b189ab69d40e782fe827c63e1cc6f06",
"samples": [],
"sha1": "85be23059c9abb3370586dc49dbd8f1ced05df8e",
"sha256": "d207ccf1eabcc9453288896d963f1a1c558c427abfe9305d7328e3a6fb06f6ee"
},
{
"family": "Stonedrill",
"filesize": 245760,
"filetype": "PE32",
"first_seen": "2019/03/12",
"label": "malware",
"md5": "688bdedf1f9dd44d6db51a7f8499939c",
"samples": [],
"sha1": "2ca2622317bc840bf890d1e337d2c547be2cfebf",
"sha256": "41a1d7b98d0ce3259270c9a8f26fe8899cca402cba69ef8e5c70449faea8b714"
},
{
"family": "Stonedrill",
"filesize": 317440,
"filetype": "PE32",
"first_seen": "2018/01/24",
"label": "malware",
"md5": "345ade2a73ee83e4f75447a26c4e78c9",
"samples": [],
"sha1": "6ae00484a878201e6150108ca1b234dd1f68930d",
"sha256": "0f191518ab7f24643218bd3384ae4bd1f52ec80419730d87196605a2a69938d7"
},
{
"family": "Cadlotcorg",
"filesize": 128512,
"filetype": "PE32",
"first_seen": "2017/07/20",
"label": "malware",
"md5": "2b82ce15a632e3ce1485bfc87e586ee5",
"samples": [],
"sha1": "df07d50296914de0ca3116d4ca6d3845d55c7540",
"sha256": "3fb85b787fa005e591cd2cd7e1e83c79d103b1c26f5da31fdf788764ae0b8bb0"
},
{
"family": "Cadlotcorg",
"filesize": 130560,
"filetype": "PE32",
"first_seen": "2016/12/09",
"label": "malware",
"md5": "697c515a46484be4f9597cb4f39b2959",
"samples": [],
"sha1": "b9fc1ac4a7ccee467402f190391974a181391da3",
"sha256": "bf79622491dc5d572b4cfb7feced055120138df94ffd2b48ca629bb0a77514cc"
}
],
"Request_ID": "096f6aa5-f245-4b09-790f-133bc89d4d26",
"Status": "done"
}
}

Human Readable Output#

Search Result for request: 096f6aa5-f245-4b09-790f-133bc89d4d26#

filesizefiletypefirst_seenlabelmd5sha1sha256
151552PE322020/06/09unknown0b189ab69d40e782fe827c63e1cc6f0685be23059c9abb3370586dc49dbd8f1ced05df8ed207ccf1eabcc9453288896d963f1a1c558c427abfe9305d7328e3a6fb06f6ee
245760PE322019/03/12malware688bdedf1f9dd44d6db51a7f8499939c2ca2622317bc840bf890d1e337d2c547be2cfebf41a1d7b98d0ce3259270c9a8f26fe8899cca402cba69ef8e5c70449faea8b714
317440PE322018/01/24malware345ade2a73ee83e4f75447a26c4e78c96ae00484a878201e6150108ca1b234dd1f68930d0f191518ab7f24643218bd3384ae4bd1f52ec80419730d87196605a2a69938d7
128512PE322017/07/20malware2b82ce15a632e3ce1485bfc87e586ee5df07d50296914de0ca3116d4ca6d3845d55c75403fb85b787fa005e591cd2cd7e1e83c79d103b1c26f5da31fdf788764ae0b8bb0
130560PE322016/12/09malware697c515a46484be4f9597cb4f39b2959b9fc1ac4a7ccee467402f190391974a181391da3bf79622491dc5d572b4cfb7feced055120138df94ffd2b48ca629bb0a77514cc

cs-malquery-get-ratelimit#


Returns information about search and download quotas in your environment.

Base Command#

cs-malquery-get-ratelimit

Context Output#

PathTypeDescription
Malquery.Quota.hunt_countnumberHow many hunts were executed in the last month.
Malquery.Quota.download_countnumberHow many downloads were executed in the last month.
Malquery.Quota.monitor_countnumberHow many monitors were created in the last month.
Malquery.Quota.hunt_limitnumberTotal hunt limit per month.
Malquery.Quota.download_limitnumberThe total download limit per month.
Malquery.Quota.monitor_limitnumberThe total monitor limit per month.
Malquery.Quota.refresh_timestringThe time when the limits are refreshed. ISO 8601 format.
Malquery.Quota.days_leftnumberThe days left until the limits are refreshed.
Malquery.Quota.hunt_counts.useridStringThe download counts per user.
Malquery.Quota.hunt_counts.counternumberThe download counts per user.

Command Example#

!cs-malquery-get-ratelimit

Context Example#

{
"Malquery": {
"Quota": {
"days_left": 3,
"download_count": 28,
"download_counts": [
{
"counter": 28,
"userid": ""
}
],
"download_limit": 50,
"hunt_count": 83,
"hunt_counts": [
{
"counter": 83,
"userid": ""
}
],
"hunt_limit": 100,
"monitor_count": 0,
"monitor_limit": 10,
"refresh_time": "2020-08-01T00:00:00Z"
}
}
}

Human Readable Output#

Quota Data#

hunt_countdownload_countmonitor_counthunt_limitdownload_limitmonitor_limitrefresh_timedays_left
8328010050102020-08-01T00:00:00Z3

cs-malquery-samples-multidownload#


Schedule samples for download, which returns a request ID. Use the request ID in the cs-malquery-get-request, to check the status of the operation. When the request status is “done”, use the cs-malquery-sample-fetch to download the results as a password-protected archive. The password to extract results from the archive: infected'

Base Command#

cs-malquery-samples-multidownload

Input#

Argument NameDescriptionRequired
samplesSample sha256 IDs. Comma separated values.Required

Context Output#

PathTypeDescription
Malquery.Request_IDStringThe request ID.
Malquery.StatusStringThe request status.

Command Example#

!cs-malquery-samples-multidownload samples=742db9f3ae1b7322dfe8ab81476cd3146f9c0ce086fc4cd38a1072fb6cae8662,accc6794951290467e01b7676e8b4ba177076d54f836589ea7d3298cdf6fc995

Context Example#

{
"Malquery": {
"Request_ID": "e2e1aecb-6e34-44f7-5d42-932880276c5e"
}
}

Human Readable Output#

Samples Multidownload Request#

Request_ID
e2e1aecb-6e34-44f7-5d42-932880276c5e

cs-malquery-file-download#


Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported.

Base Command#

cs-malquery-file-download

Input#

Argument NameDescriptionRequired
file_idThe SHA256 file.Required

Context Output#

PathTypeDescription
File.SHA256StringThe SHA256 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.NameStringThe name of the file.
File.EntryIDStringThe Entry ID.
File.InfoStringInformation about the file.
File.TypeStringThe type of the file.
File.MD5StringMD5 hash of the file.

Command Example#

!cs-malquery-file-download file_id=d77cf874521ee7d4bb7f54bd8cef3d60ec24d267cf2d502f819880f0819f5766

Context Example#

{
"File": {
"EntryID": "3993@904ba2df-a395-4270-8a6b-e9b8d614911e",
"Info": "application/x-dosexec",
"MD5": "c6a6a731f341ced1d93b61bc7628721d",
"Name": "d77cf874521ee7d4bb7f54bd8cef3d60ec24d267cf2d502f819880f0819f5766",
"SHA1": "8953cdddbe825e8378c590084dca1e3d76ced233",
"SHA256": "d77cf874521ee7d4bb7f54bd8cef3d60ec24d267cf2d502f819880f0819f5766",
"SHA512": "09c164142da9b4d8decb3cbbfa2916326aeab50d79bffa6090816f2cdb89838ac79fc7451c5997c06a9186c1bc0661283fc86cd5838d40e4b07b8a5d6bd8bb13",
"SSDeep": "24576:qripAq8fCAmHY/Ph9Kv18re7NHHReC3Mm:quptkhOveSBImMm",
"Size": 1076152,
"Type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
}
}

cs-malquery-sample-fetch#


Fetches a zip archive file using the password, "infected" containing the samples. Use this after the cs-malquery-samples-multidownload request has finished processing.

Base Command#

cs-malquery-sample-fetch

Input#

Argument NameDescriptionRequired
request_idIdentifier of a MalQuery request.Required

Context Output#

PathTypeDescription
File.SHA256StringTHe SHA256 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.NameStringThe name of the file.
File.EntryIDStringThe entry ID.
File.InfoStringInformation about the file.
File.TypeStringThe type of the file.
File.MD5StringThe MD5 hash of the file.

Command Example#

!cs-malquery-sample-fetch request_id=93b55373-3b69-43cb-6ea1-2870a44e1c1e

Context Example#

{
"File": {
"EntryID": "3517@904ba2df-a395-4270-8a6b-e9b8d614911e",
"Info": "application/zip",
"MD5": "a19a427b08c84f27a5a2b9f59fd8f752",
"Name": "93b55373-3b69-43cb-6ea1-2870a44e1c1e",
"SHA1": "01583032c5b9df88266da1d0cc46d41678203f2d",
"SHA256": "a959753414fcf8367054e195424d86feb75f3819272754178efc6ec0963f6bb0",
"SHA512": "3cce7bbca53570da2925da32942c7f20f1f619b016395a663c0abdb1e54eed06ad0b7b60687286f04278196693b4e44255c2cf25ed953a1c512d58625775704b",
"SSDeep": "49152:Pm7wDIVHR7jadrFtkGU5fW/Lv4yZ4mXoGODTmtvL7ERwjU3IDcJA2I:O7wDAHgfkpfiv4PmXoGO3mhLIRwL7",
"Size": 3059253,
"Type": "Zip archive data, at least v1.0 to extract"
}
}

Human Readable Output#

file#


Retrieves indexed files metadata by their hash.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileThe SHA256 of the files. Comma separated values.Required

Context Output#

PathTypeDescription
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
File.VendorStringThe vendor used to calculate the score.
Malquery.File.familyStringThe malware family of the file. For example, StoneDrill.
Malquery.File.filesizeStringThe size of the file.
Malquery.File.filetypeStringThe type of the file.
Malquery.File.first_seenStringThe date when the file was first seen.
Malquery.File.labelStringThe label of the file.
Malquery.File.md5StringThe MD5 hash of the file.
Malquery.File.sha1StringThe SHA1 hash of the file.
Malquery.File.sha256StringThe SHA256 hash of the file.

Command Example#

!file file=d77cf874521ee7d4bb7f54bd8cef3d60ec24d267cf2d502f819880f0819f5766

Context Example#

{
"DBotScore": {
"Indicator": "d77cf874521ee7d4bb7f54bd8cef3d60ec24d267cf2d502f819880f0819f5766",
"Score": 0,
"Type": "file",
"Vendor": "CrowdStrike Malquery"
},
"File": {
"SHA256": "d77cf874521ee7d4bb7f54bd8cef3d60ec24d267cf2d502f819880f0819f5766"
},
"Malquery": {
"File": {
"filesize": 1076152,
"filetype": "PE32",
"first_seen": "2014/01/27",
"label": "unknown",
"md5": "c6a6a731f341ced1d93b61bc7628721d",
"sha1": "8953cdddbe825e8378c590084dca1e3d76ced233",
"sha256": "d77cf874521ee7d4bb7f54bd8cef3d60ec24d267cf2d502f819880f0819f5766"
}
}
}

Human Readable Output#

CrowdStrike Malquery File reputation#

filesizefiletypefirst_seenlabelmd5sha1sha256
1076152PE322014/01/27unknownc6a6a731f341ced1d93b61bc7628721d8953cdddbe825e8378c590084dca1e3d76ced233d77cf874521ee7d4bb7f54bd8cef3d60ec24d267cf2d502f819880f0819f5766