I would like to be able run Crowdstrike Falcon RTR commands as part of triage workflows or even ad hoc commands via chat-ops.
As part of an automated triage workflow for Falcon detection events:
- after notifications, setting up case in ticketing/case mgmt systems, etc…
- run/capture “pslist”, “ipconfig” and “netstat” at beginning of triage to avoid losing ephemeral evidence.
- contain the host (after collecting network/process data.)
Automatically, optionally or by analyst request
- run/capture “ls” for folders where suspect processes wrote data to disk.
- run/capture “filehash” on files written by suspect processes.
- collect hash reputation data from VT or other like services
- collect IP reputation for external targets - might need set limits to exclude browsers/processes with huge lists of IP’s
- “get” the written/suspect files/evidence.
- memory dump collection, after confirming sufficient diskspace to do so.
As the results might be too large for a chat response, some could maybe be included as attachments, others might be directed to the ticketing/case mgmt. system.
Other use cases:
- ad hoc run any of the built in commands and gather output
- run cloud staged scripts, or an ad hoc PS script/or command
- “put” an IR tool or script on the remote device, run that tool and “get” the results.
- “get” malware artifacts
- “rm” files/malware artifacts
- export log files
- ad hoc actions, including triage workflows on batch lists of devices
The announcement of Falcon Forensics may make some or all of this moot depending on how that unfolds. Nonetheless, the ability to quickly enrich case details, respond to detections, and automate certain recovery actions should speed triage, incident response, and time to resolution.
