Searching for processes

[PeterNaudus]

Greetings! I'm sure this is a super basic question, so feel free to tell me to RTFM :)

I'm trying to find all the cmd.exe and powershell.exe processes that have been launched in the last last month for the machines in my network.

Which API call would I used for that? I tried reading the manual, but I didn't see any general querying API.

[jshcodes]

Hi @PeterNaudus -

This might be easier to pull off using the Falcon console's Events Search (you could even schedule it to run periodically). This can be found under Investigate in the console menu.

You could start with a query like this

event_simpleName=ProcessRollup2 FileName IN ("cmd.exe" "powershell.exe") 
NOT GrandParentBaseFileName IN () 
NOT CommandLine IN ()
| table ComputerName GrandParentBaseFileName FileName CommandLine

and adjust the values on the NOT lines to additionally filter out standard / baseline activity (or you can reverse the logic and look for specific behaviors leveraging cmd.exe or powershell.exe).

At this point in time, you cannot recreate this exact functionality with available public API service collections.

If you need to use the API and Python to perform this kind of hunting, you might check out the IOC and RTR service collections. Neither are an exact match to the functionality provided via Event Search but could be used to produce somewhat similar results. (With API specific caveats and restrictions. Example: Creating a custom IOC would generate a custom detection for each match, this could be extremely noisy. Leveraging RTR would require your connecting to the target host to pull this detail.)

[PeterNaudus]

Awesome, thanks so much @jshcodes :)

[jshcodes]

I should have mentioned there might be some useful detail for this in the Custom IOA service collection as well. 😄