FALCON FORENSICS

DASHBOARDS

CROWDSTRIKE UNIVERSITY
PAGE | 02 FALCON FORENSICS DASHBOARDS

OVERVIEW
Once you have successfully deployed the Falcon Forensics binary to the specified endpoints,
the collected information will populate in the Falcon Forensics dashboards.

These dashboards include:

Deployment Status Dashboard - Shows what collections have been received

Host Info Dashboard - Shows the types of artifacts gathered for the system

Quick Wins Dashboard - Shows pre-built panels to help uncover malicious activity

Host Timeline Dashboard - Shows a timeline of activity for a given host

DEPLOYMENT STATUS DASHBOARD

This dashboard only shows data from completed collections of the

binary that have successfully uploaded artifacts. Any deployments
in progress will not be represented in the data totals.

This dashboard includes:

The number of Falcon Metadata about the The number of unique

Forensics Windows hosts hosts for which
uploads that have collections have been
been received This includes: collected
Tip: The small number Operating systems
indicates the number of
uploads for the last 24 Operating system
hours roles, including the
domain controller,
server, and
workstations
 FALCON FORENSICS DASHBOARDS PAGE | 03
ON THE DEPLOYMENT
STATUS DASHBOARD

If Falcon Forensics is not run with administrator permissions,

the Admin Run column will show “FALSE.” Without administrator
permissions, what Falcon Forensics can gather is limited.

At the top of the Unique Hosts section, there is a checkbox, “Non

admin,” that can be engaged to see all hosts who did not have
Falcon Forensics deployed with Admin permissions.

HOST INFO DASHBOARD

Use this dashboard to drill down on a specific system by hostname.

You can view a breakdown of:

Event logs Network interface

Users on the system Windows services

Running processes at the time of collection Shim cache artifacts that have been collected

Netstat information Link to RTR directly to the host

TO USE THIS DASHBOARD:

1. Leave the Company dropdown set to "All"

2. Enter the name of the host you want to search for
3. Leave the FFC Runtime set to "All Collections"
4. Click out of the Hostname field to load your search
PAGE | 04 FALCON FORENSICS DASHBOARDS

QUICK WINS DASHBOARD

The ultimate goal of the Quick Wins dashboard panels is to uncover high signal to
noise evidence of malicious activity that warrants further investigation and pivot
from there to the Host Info, Host Timeline dashboards, or event search.

To set up this dashboard, you will need to:

1. Select your company name from the Company drop down. Most likely, you
can leave this at “All.”

2. Select your collection Ingest time. This is set to All time by default.

Note: There is no data that extends beyond 30 days out because data
automatically deletes after 30 days by default.

3. Click in the Panels text box to view a drop down of available panels.

4. Click on as many panels as needed to display them on this dashboard.

Note: Be sure to load one panel at a time.

The Quick Wins Dashboard panels provide a quick way to identify malicious
activity. Additionally, these panels represent techniques that can be used to
analyze and derive value from the Falcon Forensics data and provide hunting
leads that allow you to jump to more information and dive deeper.

QUICK WINS DASHBOARD TIPS

Click on the data in any of the panels to On the bottom right corner of each panel,
open a search for more information on the you can click the “Open and search” icon
data you specifically clicked on. to open a new window that performs a
search for more details.
 FALCON FORENSICS DASHBOARDS PAGE | 05

QUICK WINS DASHBOARD PANELS

Execution from Recycle Bin
Shows evidence of a likely attacker launching an executable out of the
Recycle bin by querying am cache, shim cache, and process listing artifacts.

Filesystem
Shows evidence of potential attacker tools or malware that may still be on
disk. These queries identify executables in suspicious directories, files
with suspicious file extensions, and rar files with mismatched extensions
among other artifacts.

Potential Logon Bypass

Shows potential mechanisms by which an attacker can maintain persistence
on a system. These panels show registry information associated with the
exploitation of accessibility features attackers leverage to bypass the logon
screen.

Known Malware
Shows artifact queries that may uncover evidence of specific malware
families or malicious tools like Mimikatz and Cobalt Strike.

Windows XP
Shows malicious AT scheduled jobs.

Events
Shows example queries that may be used to uncover malicious activity
within the event log artifacts collected by Falcon Forensics. This panel
covers scenarios where an attacker may have installed a malicious service
or started a malicious process on the system.

Registry
Shows registry artifacts showing the use of a persistence technique known
as Event Triggered Execution where an attack attaches a debugger to an
application.
PAGE | 06 FALCON FORENSICS DASHBOARDS

HOST TIMELINE DASHBOARD

The Host Timeline Dashboard displays a host timeline that strings together the
timestamps across many different points of collected artifacts. It also displays
activity across different artifact types that may help you uncover additional
attacker activity within the selected time frame.

To use this dashboard:

1. Set the Company dropdown. You can most likely leave this at "All."

2. You can display data from either one host or multiple hosts. Select Yes in the
Multi System options to display data from multiple hosts.

3. If you are displaying data from only one host, enter your hostname. If you are
displaying data from multiple hosts, enter their hostnames separating each
hostname with a comma.

Note: You can include all hosts by entering * but be mindful that if you do
so, it could load a lot of data. This could be helpful in a situation where an
attacker is pivoting from system to system, running tools.

4. Enter a time of interest to focus on.

5. Select the Span from the drop down to identify how long of a time span
to display.

6. You can opt to Show Queries, if desired.

TIP
This search results in a graphical
display of spikes in activity tied to
the Falcon Forensics modules.

Note that not all activity displayed is

malicious. Click and drag a box
around the timespan
to narrow in on a specific
time range of interest. Doing
this will filter the data to show
only data that is tied to timestamps
during this period of time.
 FALCON FORENSICS DASHBOARDS PAGE | 07

SPL (SPLUNK) SEARCH PANEL

Using Falcon Forensics you can leverage the full power of Splunk to customize your
search of the collected Falcon Forensics artifact data.

Here are some specific queries:

RDP Interactive Log Event Successful Only

sourcetype=events (eventID=528 OR eventID=4624) logontype=10 OR "*Logon
Type:\\\\t\\\\t\\\\t10*" | stats count by logondomain, logonname,
logonprocess, logonsecurityid, networkaddress, timeGenerated

Analyze deleted files - MFT

sourcetype=mft_files inuse=FALSE
name!="" path!="" | stats count by path,name

One or no character file names for extensions bat, cmd, ps1, vbs, and vbe, with
noise reduction
sourcetype=dirlist name=*.bat OR name=*.cmd OR name=*.ps1 OR name=*.vbs
OR name=*.vbe | eval file_length=len(name) | where file_length<6 | table
systemname pathname sha256

Shimcache entries - shim

sourcetype=shim | table systemname controlset index shim_modified shim_exec
path name size attrhex attrstr created accessed modified companyname
filedescription fileversion internalname legalcopyright originalfilename
productname productversion cert_exists cert_verified cert_result
cert_comment cert_signer cert_type md5 sha1 sha256 sid owner domain

Stacking AT job commands

sourcetype=jobs | stats values(systemname) count by command

Network DNS Cache

sourcetype=network_dnscache | table systemname name type value

Running Services on less than 10 machines - services

sourcetype=services state=running | eval name=lower(name) | stats
values(path) values(command) dc(systemname) values(systemname)
values(internalname) values(productname) count by name | where count <
10 | sort count