CS-MalQuery — Part 1

Github: https://github.com/securethelogs/Powershell/blob/master/CrowdStrike/CS-MalQuery.ps1

The MalQuery API from CrowdStrike helps their customers validate if the protection is there for a certain IOCs. Nowadays, we are bombarded with IOCs and because there are so many, for some, skimming through and extracting what they can block is more efficient than reading them all. Sometimes it’s good to see the tick on the screen and the MalQuery API helps with that.

To use the Falcon API, you will need to have a subscription to the service. If you don’t, you can use the Public API from Hybrid-Analysis (Also Falcon Sandbox) however the DB isn’t as vast. I’ve found the returns are poor, not in richness, but quantity.

It’s worth noting someone has put the time in creating a Powershell Module called PSFalcon, however if you’re like me, you like to learn by doing.

CS-MalQuery is the script I put together. I will break it down below just in case someone finds it helpful.

To begin, you will need to get your API credentials from your portal. See CrowdStrikes docs for more info.

Once you are good, add them in here:

The next part is how to request a token from the portal, as unlike the Hybrid-Analysis API, you don’t push your secret/key each time. For Falcon, you generate a token and pass this on each request.

Instead of using cURL, we can use Invoke-RestMethod and build our parameters. It’s worth noting that you can do this multiple ways, so don’t think this is it. This is totally doable in a one-liner.

The $token line uses the try and catch commands as if the user enters the keys in wrong, I wanted it to flag and stop the script. You don’t need to do this but sometimes it helps.

The next part is to get the list of sha256 hashes to check and validate the path is correct. The Hybrid-Analysis API allows md5, Sha1 and Sha256 however the MalQuery API seems limited to Sha256. There are online converters but it is a bit restrictive…

We then populate the results into an array ($hashbrowns) and start a foreach loop:

For every hash, we query MalQuery to see if it’s listed. If it is, we populate the $results array with the information, else we make the user know it might not be there. Once finished, we present the data in a table format:

There is a lot of code here and most are just to validation checks to allow it to run smoothly. You can build your script out to complete whatever tasks is needed; should you want to do so. If don’t want to, simply use mine:

  • Download the PS1 file.
  • Edit and insert your API key and clientID.
  • Create a text file with the listed SHA256 hashes you are wanting to query.
  • Run the script and enter the file location.

If you are on a different tenant, you may need to update the URI listed.

If you are wanting to bolster your script, you can incorporate the Hybrid-Analysis API as well. An example of the data you can retrieve:

It does seem to match less hashes however within the same call, it can return more information. Perhaps it would be worth to run the two within the same script to bridge any gaps.

Anyone can get the API key with a free account however as always there are limits.

Once you’ve created your account, got to your profile and generate a key.

More to come ….


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

%d bloggers like this: