The CrowdStrike Query Language (CQL) allows hunters to perform granular filtering of telemetry to isolate specific behaviors. In this query, the initial statement targets #event_simpleName=UserLogon, which records every time a user authenticates to a host. The filter RemoteAddressIP4=* ensures the query only looks at logons that involve a network component (remote logons), as local console logons typically do not have a remote IP associated with them.

The core logic of the query is the !cidr function. By listing the standard private and non-routable IP ranges (10/8, 172.16/12, 192.168/16, etc.) and applying the logical NOT operator (!), the query effectively strips away all "noise" from the internal network. What remains are logons originating from external IP addresses . The final pipe to ipLocation is used to add geographic context to these external sources. This type of search is fundamental to Hunting Methodology when looking for evidence of credential theft or external actors moving into the environment. While a similar search could be performed for NetworkConnectIP4 events, focusing on UserLogon specifically identifies successful (or attempted) authentication, which is a much higher-value indicator of a potential breach than simple network traffic. Understanding how to exclude internal subnets is a mandatory skill for any Falcon Hunter to avoid being overwhelmed by legitimate internal administrative traffic.

Identifying an enterprise-wide file infection requires a hunter to look past simple file names, which adversaries often randomize or mask to evade basic detection. The most effective Hunting Methodology for this scenario is to focus on the file's unique cryptographic hash (MD5, SHA256). Even if an attacker renames a malicious binary (e.g., from malware.exe to svchost.exe) to blend into different environments, the hash remains identical.

By utilizing CrowdStrike Query Language (CQL) in the Event Search or LogScale environments, a hunter can search for a known malicious hash across all ProcessRollup2 and ImageHash events. This allows the analyst to see every instance where that specific file has appeared, regardless of the local file name or path. This technique is particularly powerful for identifying "Polymorphic" behavior where the filename changes but the core payload stays the same. While monitoring alerts (Option A) is reactive and host dashboards (Option B) are localized, hash-based hunting provides a global, enterprise-wide perspective. This ensures that the hunter can identify every single "infected" host, including those where the malware may be dormant or where a local detection has not yet been triggered, enabling a comprehensive and simultaneous remediation effort across the entire organization.

This command is a textbook example of a multi-stage, fileless attack using "Living off the Land" (LotL) techniques. In Detection Analysis , the presence of WmiPrvSE.exe (WMI Provider Host) as the parent process is a significant indicator of Lateral Movement (T1021.006), suggesting the command was triggered remotely via WMI. The command-line arguments use Net.WebClient to perform a "DownloadString" operation, which pulls the Invoke-Shellcode.ps1 script directly from a GitHub repository into memory without ever writing the file to disk.

The IEX (Invoke-Expression) cmdlet then executes that script in memory. The final part of the string, Invoke-Shellcode -Payload windows/meterpreter/reverse_http, specifically instructs the script to deploy a Meterpreter payload—a common component of the Metasploit Framework. This payload is configured to establish a reverse shell back to the attacker-controlled IP address (172.17.0.21) on port 8080. The use of -Windowstyle Hidden and -noprofile ensures the activity is invisible to the end-user and bypasses local profile configurations. For a Falcon Hunter, this represents a critical, high-severity detection. The investigation must focus on how the attacker gained the credentials necessary to trigger WMI and identifying which other hosts in the environment have had similar "DownloadString" events associated with the same internal IP.

In the context of Hunting Analytics , identifying the exploitation of CVE-2021-44228 (Log4j) requires looking for specific patterns associated with the Java Naming and Directory Interface (JNDI). The vulnerability allows an attacker to send a specially crafted string—often via an HTTP header or input field—that the Log4j library then parses and executes, leading to a remote JNDI lookup and subsequent code execution.

The event #event_simpleName=ScriptControlDetectInfo is particularly effective for this hunt because it provides visibility into the actual scripts and commands being interpreted and executed by the system. By searching the ScriptContent field for the regex /.*jndi:\w{1,5}:?\}?\/\/.*\}/i, a hunter can identify the tell-tale signature of a Log4j exploit payload, such as ${jndi:ldap://...}. While Option B targets the HttpRequestHeader, this requires specific network-level visibility that might not always be present or indexed in the same way as script execution telemetry. The ScriptControlDetectInfo event captures the payload when it interacts with the underlying system's script engines, providing a more definitive link between the exploit attempt and the resulting malicious activity on the Linux host. Using this granular level of visibility allows hunters to distinguish between a simple probe (network level) and an active exploitation attempt where the malicious string is being processed by the application's runtime environment.

In the context of Search and Investigation Tools , tracking the use of unauthorized or unencrypted USB storage devices is a critical component of internal threat hunting and data loss prevention (DLP). The Falcon sensor records these hardware interactions using the specific event name RemovableMediaVolumeMounted . This event is triggered whenever the operating system successfully mounts a removable storage volume, such as a USB flash drive or an external hard disk.

Option A is the correct CrowdStrike Query Language (CQL) syntax because it pairs the appropriate event with fields that provide meaningful forensic context. Fields like VolumeDriveLetter identify which logical drive was assigned (e.g., E: or F:), while VolumeFileSystemDevice and VolumeFileSystemDriver offer technical details about the hardware interface and the driver utilized to facilitate the mount.

Conversely, Option B selects fields that are relevant to process execution and network connectivity (like hashes and IP addresses), which are not typically populated in a volume mount event. Option C focuses on ProcessRollup2 , which tracks the starting of executables rather than hardware mounts. Option D utilizes FsVolumeMounted, which is a broader event that includes internal fixed partitions and network drives, making it less precise for hunting specifically for "removable" media. By utilizing the query in Option A, a hunter can build a timeline of when external devices were connected to the environment, allowing them to correlate these mounts with subsequent file writes or "Exfiltration" behaviors.

In proactive Hunting Methodology , the context of an execution is just as critical as the command itself. The provided process tree (winlogon - > userinit - > explorer - > powershell_ise) indicates a standard interactive user session where the user manually opened the PowerShell ISE. Because the account belongs to the IT department and the activity occurred during normal working hours , there is a high probability that this is authorized administrative testing or troubleshooting.

Jumping straight to an RTR session or marking the event as a True Positive without investigation could lead to unnecessary business disruption. Conversely, marking it as a False Positive immediately is dangerous, as attackers often "live off the land" using IT credentials. The correct Hunter approach is to expand the investigation window—typically a +/- 10-minute search —to see what happened immediately before and after the command. This helps determine if the script was part of a larger, unexplained chain of events. Contacting the user to verify the activity is a standard "sanitized" inquiry in a professional environment. If the user confirms they were testing a bypass for a legitimate deployment, the event can be tuned. If they deny knowledge, the investigation escalates to a full incident response. This balance of technical telemetry and human verification is a core tenant of the Falcon Hunter's workflow.

In the context of the MITRE ATT & CK Framework , the creation of a scheduled task is a quintessential technique within the Persistence tactic (specifically T1053). Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their flow. By scheduling a task to execute a remote management application, the attacker ensures that their connection to the compromised host is maintained automatically without requiring manual re-exploitation.

Within the Falcon platform, hunters monitor for this behavior by analyzing events such as ScheduledTaskRegistered or process executions originating from taskeng.exe or schtasks.exe. While scheduled tasks can occasionally be used for Privilege Escalation (if the task runs with SYSTEM privileges) or Execution , the primary goal of creating a permanent task for a management application is to ensure long-term, stable access to the environment. Effective hunting methodology involves pivoting from the detection of a new scheduled task to identifying the source process that created it. This allows the analyst to determine if the task was part of a legitimate administrative action or an unauthorized persistence mechanism designed to facilitate further malicious activity, such as data exfiltration or internal reconnaissance.

==========