User Guide

Synapse-CrowdStrike User Guide

Synapse-CrowdStrike adds new Storm commands to allow you to query the CrowdStrike API using an existing API client.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API client.

Examples

Setting your personal API client

To set-up a personal use API client:

> crowdstrike.setup.client --self myclientid mysecret
Setting CrowdStrike API client configuration for the current user.

Enrich a node with indicator data

Enrich a node and add tags for labels from CrowdStrike:

> [ hash:md5=3606f3c68ef4312970e2341d0e81170e ] | crowdstrike.indicators.enrich
hash:md5=3606f3c68ef4312970e2341d0e81170e
        .created = 2024/12/20 17:58:10.388
        .seen = ('2024/02/23 14:08:05.000', '2024/02/23 14:08:20.001')
        #rep.crowdstrike.confidence.high
        #rep.crowdstrike.mofksys
        #rep.crowdstrike.threat_type.commodity
        #rep.crowdstrike.threat_type.credentialharvesting
        #rep.crowdstrike.threat_type.informationstealer

Enrich a node and add “related indicators” from CrowdStrike:

> [ hash:md5=a0de1ecd7cb57806e845765b39845f5c ] | crowdstrike.indicators.enrich --add-related | -(_crowdstrike:related)> *
hash:sha256=fffeeca4c3554838dd9ecda03a49495bd69c9f77aaeb780330128ab20e6210cd
        .created = 2024/12/20 17:58:11.364
hash:sha1=8e581d7efca677be4939663ef1e1625d4c17075d
        .created = 2024/12/20 17:58:11.398

Search for indicators

Search for indicators using a filter:

> crowdstrike.indicators.search --malware-family Mofksys --size 2 --yield
hash:sha1=e1d2cdf78e7183bfe402cb0e71f88d119dac596e
        .created = 2024/12/20 17:58:11.850
        .seen = ('2022/03/30 22:08:23.000', '2022/03/30 22:08:50.001')
        #rep.crowdstrike.confidence.high
        #rep.crowdstrike.mofksys
        #rep.crowdstrike.threat_type.commodity
        #rep.crowdstrike.threat_type.credentialharvesting
        #rep.crowdstrike.threat_type.informationstealer
hash:sha256=a9abdb8fcbcb428b1867c3c70c2fa966b75a93403d3b850484bac5d9241d5a93
        .created = 2024/12/20 17:58:11.938
        .seen = ('2022/03/30 22:08:23.000', '2022/03/30 22:08:50.001')
        #rep.crowdstrike.confidence.high
        #rep.crowdstrike.mofksys
        #rep.crowdstrike.threat_type.commodity
        #rep.crowdstrike.threat_type.credentialharvesting
        #rep.crowdstrike.threat_type.informationstealer

Search for indicators using a generic phrase match:

> crowdstrike.indicators.search --size 2 --query ransomware --yield
hash:sha1=95da4919422fe413db71db33ccab28ade9c16ca1
        .created = 2024/12/20 17:58:12.327
        .seen = ('2022/04/30 11:46:40.000', '2022/04/30 11:48:25.001')
        #rep.crowdstrike.confidence.high
        #rep.crowdstrike.mofksys
        #rep.crowdstrike.njratlime
        #rep.crowdstrike.threat_type.commodity
        #rep.crowdstrike.threat_type.credentialharvesting
        #rep.crowdstrike.threat_type.ddos
        #rep.crowdstrike.threat_type.informationstealer
        #rep.crowdstrike.threat_type.keylogger
        #rep.crowdstrike.threat_type.opensource
        #rep.crowdstrike.threat_type.ransomware
        #rep.crowdstrike.threat_type.rat
hash:sha256=a7204b2a44fdf7e25fa41b78f65a6086c5ed597593c69c53e6a29b9e17ff0d68
        .created = 2024/12/20 17:58:12.504
        .seen = ('2022/04/30 11:46:40.000', '2022/04/30 11:48:25.001')
        #rep.crowdstrike.confidence.high
        #rep.crowdstrike.mofksys
        #rep.crowdstrike.njratlime
        #rep.crowdstrike.threat_type.commodity
        #rep.crowdstrike.threat_type.credentialharvesting
        #rep.crowdstrike.threat_type.ddos
        #rep.crowdstrike.threat_type.informationstealer
        #rep.crowdstrike.threat_type.keylogger
        #rep.crowdstrike.threat_type.opensource
        #rep.crowdstrike.threat_type.ransomware
        #rep.crowdstrike.threat_type.rat

Search for reports

Search for reports using a filter:

> crowdstrike.reports.search --target-countries china --size 2 --yield
media:news=3b075f9623440e58a753ba5122371632
        .created = 2024/12/20 17:58:12.924
        :ext:id = 62318
        :published = 2019/07/24 20:26:06.000
        :publisher = e3a6144fac71fd688d0dd556e6f2de7d
        :publisher:name = crowdstrike
        :summary = Public reporting throughout July has indicated1 increased utilization of Rich Text Format (RTF) documents exploiting CVE-2018-0798, a remote code execution (RCE) vulnerability in Equation Editor, to deliver AsyncRAT payloads. AsyncRAT is a fully-featured Remote Access Tool (RAT) whose code was publicly released on GitHub. CrowdStrike Intelligence has identified over 200 RTF doc...
        :title = csa-19929 exploitation of cve-2018-0798 adopted by criminal actors
        :topics = ['asyncrat', 'vulnerabilities']
        :type = crowdstrike.notice.lib.null
        :updated = 2022/01/21 12:40:58.000
        :url = https://falcon.us-2.crowdstrike.com/intelligence/reports/csa-19929-exploitation-of-cve-2018-0798-adopted-by-criminal-actors/
        :url:fqdn = falcon.us-2.crowdstrike.com
media:news=c3457ee1ab861bef1b8a4e100caa7275
        .created = 2024/12/20 17:58:13.667
        :ext:id = 25540
        :published = 2018/08/03 21:07:24.000
        :publisher = e3a6144fac71fd688d0dd556e6f2de7d
        :publisher:name = crowdstrike
        :summary = On 1 August 2018, Chinese state media announced that ZHUANG Rongwen (庄荣文) has been appointed as Director of the Cyberspace Administration of China (CAC), replacing former Director XU Lin (徐麟). ZHUANG is a former deputy CAC minister and a Fujian native who held multiple ministerial positions in the province, making it likely that he caught the eye of President XI Jinping during ...
        :title = csa-18604 zhuang rongwen appointed as china’s new cybersecurity czar following lu wei’s fall from grace; xu lin expected to lead china’s international propaganda department
        :topics = ['political-issues']
        :type = crowdstrike.notice.lib.null
        :updated = 2022/01/21 12:41:26.000
        :url = https://falcon.us-2.crowdstrike.com/intelligence/reports/csa-18604-zhuang-rongwen-appointed-as-chinas-new-cybersecurity-czar-following-lu-weis-fall-from-grace-xu-lin-expected-to-lead-chinas-international-propaganda-department/
        :url:fqdn = falcon.us-2.crowdstrike.com

Search for reports using a generic phrase match, filter by created time, and download the associated PDF:

> crowdstrike.reports.search --size 2 --query ransomware --created (2020-01-01, 2021-01-01) --download-pdf --yield
fileparser parsing sha256: e24af51b9bf598470ecb2d687540c301f5aebd3423771a354616b94067a633c2
WARNING: pdftotext library unavailable, cannot parse PDF for text content
media:news=5ca4b8800cdb321f12ebddfdf87420e2
        .created = 2024/12/20 17:58:14.292
        :ext:id = 103384
        :file = sha256:e24af51b9bf598470ecb2d687540c301f5aebd3423771a354616b94067a633c2
        :published = 2020/11/13 14:42:58.000
        :publisher = e3a6144fac71fd688d0dd556e6f2de7d
        :publisher:name = crowdstrike
        :summary = UPDATE to CSDR-20148: London Borough of Hackney Continues To Experience Fallout From October Cyber Incident                                 12 November || General: The London Borough of Hackney remains unable to provide numerous services due to an unspecified October cyber event, according to media reports.1 Of particular note is Hackney Council’s inability to man...
        :title = csdr-20170 crowdstrike intelligence daily report: day of 11/13/2020
        :topics = ['defacement', 'pointofsale', 'ragnarlocker', 'ransomware']
        :type = crowdstrike.periodic_report.daily
        :updated = 2022/01/21 12:35:32.000
        :url = https://falcon.us-2.crowdstrike.com/intelligence/reports/csdr-20170-crowdstrike-intelligence-daily-report-day-of-11-13-2020/
        :url:fqdn = falcon.us-2.crowdstrike.com

Search for actors

Search for actors using a filter:

> crowdstrike.actors.search --origins china --size 2 --yield
risk:threat=f7512b7b69b40455e6a0abeef977c315
        .created = 2024/12/20 17:58:20.175
        :active = ('2014/01/02 00:00:00.000', '2016/07/02 00:00:00.001')
        :country = f16c7b05768d0a6baeb6bc010a283612
        :country:code = cn
        :desc = WICKED SPIDER is a suspected China-based adversary that appears to conduct exploitation operations as a group-for-hire service. This adversary was observed exploiting a number of Asian gaming companies and stealing code-signing certificates for use in future malicious activity using malware known as Winnti.  Following a shift in targeting from the gaming to the engineering sector along with different malware variants, CrowdStrike splintered off activity suspected to be more in line with traditional state-sponsored espionage which CrowdStrike terms WICKED PANDA. There are significant overlaps between WICKED SPIDER and WICKED PANDA, which may indicate shared infrastructure and resources or potential contractors working with multiple Chinese government agencies. The recent targeting against gaming companies is still suspected to be criminal in nature and continues to be tracked under as WICKED SPIDER. As previously reported, this criminal activity is believed to have extensive ties to the Chinese underground.
        :org:name = wickedspider
        :org:names = ['apt-22', 'lead', 'winnti']
        :reporter = e3a6144fac71fd688d0dd556e6f2de7d
        :reporter:discovered = 2014/01/22 18:53:30.000
        :reporter:name = crowdstrike
        :sophistication = medium
        :tag = rep.crowdstrike.wickedspider
        :type = crowdstrike.ecrime
risk:threat=66386ec4cf439ffba9d5192482a17ff9
        .created = 2024/12/20 17:58:20.959
        :active = ('2013/04/22 18:31:00.000', '2021/04/02 00:00:00.001')
        :country = f16c7b05768d0a6baeb6bc010a283612
        :country:code = cn
        :desc = KEYHOLE PANDA is a China-nexus adversary that has targeted a variety of western business interests, as well as government, defense and manufacturing sector entities since at least 2007 with variants of the Comfoo Remote Access Tool (RAT). Open source reports on this adversary also indicate targeting of Chinese dissident groups with malware aimed at the Mac OS X platform. In 2016, KEYHOLE PANDA was observed leveraging a variant of the Comfoo RAT, known as ComfooRSA, that uses strong cryptography—albeit in a flawed manner—to secure its Command-and-Control (C2) channel. Sparse industry reporting throughout 2019 and 2020 indicated KEYHOLE PANDA was active, however, CrowdStrike Intelligence cannot corroborate this information. Industry reporting indicated KEYHOLE PANDA utilized Pulse Connect Secure vulnerabilities throughout 2019. In  2020, industry reporting described them as being active against the IT sector.  Recent Activity In April 2021, industry reporting described exploitation of Pulse Connect Secure (PCS) devices by China-nexus actors including a group referred to as UNC2630 which suggested a link to KEYHOLE PANDA. Additional sensitive-source reporting also described KEYHOLE PANDA as participating in the PCS exploitation. CrowdStrike Intelligence assesses, with low confidence, at least some of this PCS exploitation and follow-on activity was carried out by KEYHOLE PANDA. This activity included the modification of multiple legitimate Perl scripts and ELF binaries within PCS environments designed to provide persistence across system updates, harvest credentials, and allow access via web shell backdoors. They were also reported to be accessing compromised PCS devices via other compromised residential or small business devices and IP address space.
        :goals = ['016d4c29e897786f791584b52c27207d', '593c3827a2856bc6bb0a719afd0e33be']
        :org:name = keyholepanda
        :org:names = ['apt5', 'bronze fleetwood', 'comfoo', 'dpd', 'manganese', 'mulberry typhoon', 'poisoned flight', 'temp.bottle', 'tg-2754']
        :reporter = e3a6144fac71fd688d0dd556e6f2de7d
        :reporter:discovered = 2013/04/22 18:31:21.000
        :reporter:name = crowdstrike
        :sophistication = high
        :tag = rep.crowdstrike.keyholepanda
        :type = crowdstrike.targeted

Use of meta:source nodes

Synapse-CrowdStrike uses a meta:source node and -(seen)> light weight edges to track nodes observed from the CrowdStrike API.

> meta:source=5655c2c89323efde9a9166190c8e24f3
meta:source=5655c2c89323efde9a9166190c8e24f3
        .created = 2024/12/20 17:58:10.557
        :name = crowdstrike api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-CrowdStrike. The following example shows how to filter the results of a query to include only results observed by Synapse-CrowdStrike:

> risk:threat +{ <(seen)- meta:source=5655c2c89323efde9a9166190c8e24f3 } | limit 2
risk:threat=1e1bd4de2fb7221db698c0f941e4119b
        .created = 2024/12/20 17:58:13.303
        :org:name = goblinpanda
        :reporter = e3a6144fac71fd688d0dd556e6f2de7d
        :reporter:name = crowdstrike
        :tag = rep.crowdstrike.goblinpanda
risk:threat=3ac11babc1f3a83a0b6abbb7f1d24081
        .created = 2024/12/20 17:58:13.427
        :org:name = emissarypanda
        :reporter = e3a6144fac71fd688d0dd556e6f2de7d
        :reporter:name = crowdstrike
        :tag = rep.crowdstrike.emissarypanda