Adversaries continue to find new and innovative ways to penetrate an organization’s defenses. Defenders who focus on plugging these holes can find themselves exhausted and frustrated. Hunting for adversarial defense evasion for the purpose of data exfiltration and command-and-control (C2), however, remains a good strategy. Many adversaries leverage tooling to establish C2 or to enable successful data exfiltration, all while evading an organization’s defenses.

In December, CrowdStrike reported that beginning in June 2022, the CrowdStrike Services, CrowdStrike® Falcon OverWatch™ and CrowdStrike Intelligence teams observed an increase in the targeting of telco and BPO industries. CrowdStrike Intelligence attributed this campaign with low confidence to the SCATTERED SPIDER eCrime adversary.

CrowdStrike Falcon® LogScale dashboards are great for monitoring your data with all kinds of visualizations. You can choose between a range of nice charts and arrange your dashboards for wall monitor display or exploring your data. Sometimes, however, you need other ways to explore or present your data. You may want more control of the shape of your data, or you may want to create small tools tailored to your organization’s environment and use cases.

Dynamic link library (DLL) hijacking is frequently written about by defenders due to its applications in evading automated detections. This technique is even more frequently used by adversaries in interactive intrusions. Despite the wealth of literature available to increase defenders’ awareness of DLL hijacking, CrowdStrike® Falcon OverWatch™ threat hunters see adversaries gravitate toward this tradecraft time and again to load malicious code.

In Part 1 of this blog series, we highlighted the benefits of CrowdStrike’s investigative approach and the CrowdStrike Falcon® Real Time Response capabilities for avoiding a significant incident in the first place, and minimizing the damage should an attacker gain entry into your environment. We also explored a range of governance and process-oriented steps that are often left out of technology-centric discussions on incident response preparedness.

This guide will introduce you to Falcon LogScale most commonly-used functions through a series of scenarios. At the end of each scenario, you’ll be asked to consider how these functions could apply to your data — and get the chance to write a few queries yourself. Let’s get started!