Leveraging CrowdStrike alerts, detect C2 behavior and alert on it.

[SweetTNC]

A use case from the Queen of RBA herself - @7thdrxn

Create one Correlation Search for all CrowdStrike custom alerts (IOAs that are heavily tuned) for all of those recon commands:

• dir
• whoami
• hostname
• tasklist
• ver
• qprocess
• ping
• nslookup
• type
• systeminfo
• driverquery
• echo %vars%
• net use\share\add\time\localgroup\group\config\view
• netstat
• nbtstat
• ipconfig

Depending on fidelity, most of these should be set to zero risk, or if they aren't that noisy then 15-25 or so by themselves.
Then, have your correlation search go over the risk index, and count those. For 1-3 do not assign additional risk. For 4-6 maybe add 30-40 to risk. If it finds more than 7, just fire an alert.

There may be some additional tuning necessary for particular devices/users that are an exception, but otherwise this is a pretty reliable weirdness finder.

[SweetTNC]

Apparently, you can leverage this OOTB ESCU correlation search and modify it to increase the risk score based on the number of related alerts.