Invoke-FalconMalQuery

SYNOPSIS

Initiate a Falcon MalQuery YARA hunt, exact search or fuzzy search

DESCRIPTION

Requires 'MalQuery: Write'.

PARAMETERS

Name	Type	Description	Allowed
YaraRule	String	Schedule a YARA-based search
Type	String	Search pattern type	`hex` `ascii` `wide`
Value	String	Search pattern value
FilterFiletype	String[]	File type to include with the result	`cdf` `cdfv2` `cjava` `dalvik` `doc` `docx` `elf32` `elf64` `email` `html` `hwp` `java.arc` `lnk` `macho` `pcap` `pdf` `pe32` `pe64` `perl` `ppt` `pptx` `python` `pythonc` `rtf` `swf` `text` `xls` `xlsx`
FilterMeta	String[]	Subset of metadata fields to include in the result	`sha256` `md5` `type` `size` `first_seen` `label` `family`
MinSize	String	Minimum file size specified in bytes or multiples of KB/MB/GB
MaxSize	String	Maximum file size specified in bytes or multiples of KB/MB/GB
MinDate	String	Limit results to files first seen after this date
MaxDate	String	Limit results to files first seen before this date
Limit	Int32	Maximum number of results per request
Fuzzy	Switch	Search MalQuery quickly but with more potential for false positives

SYNTAX

Invoke-FalconMalQuery [-Type] <String> [-Value] <String> [[-FilterFiletype] <String[]>] [[-FilterMeta] <String[]>] [[-MinSize] <String>] [[-MaxSize] <String>] [[-MinDate] <String>] [[-MaxDate] <String>] [[-Limit] <Int32>] [-WhatIf] [-Confirm] [<CommonParameters>]

Invoke-FalconMalQuery [-YaraRule] <String> [[-FilterFiletype] <String[]>] [[-FilterMeta] <String[]>] [[-MinSize] <String>] [[-MaxSize] <String>] [[-MinDate] <String>] [[-MaxDate] <String>] [[-Limit] <Int32>] [-WhatIf] [-Confirm] [<CommonParameters>]

Invoke-FalconMalQuery [-Type] <String> [-Value] <String> [[-FilterMeta] <String[]>] [[-Limit] <Int32>] -Fuzzy [-WhatIf] [-Confirm] [<CommonParameters>]

REFERENCE

Endpoints

POST /malquery/combined/fuzzy-search/v1
POST /malquery/queries/exact-search/v1
POST /malquery/queries/hunt/v1

falconpy

PostMalQueryExactSearchV1
PostMalQueryHuntV1
PostMalQueryFuzzySearchV1

USAGE

Schedule a YARA search with hunt

Invoke-FalconMalQuery -FilterFiletypes pe32 -MaxSize 1200KB -FilterMeta sha256, label, family -YaraRule "rule CrowdStrike_16142_01 : wiper { strings: $ = { 41 61 43 63 64 44 65 46 66 47 68 69 4B 4C 6C 4D 6D 6E 4E 6F 4F 70 50 72 52 73 53 54 74 55 75 56 76 77 57 78 79 5A 7A 33 32 2E 5C 45 62 67 6A 48 49 20 5F 59 51 42 3A 22 2F 40 } condition: all of them and filesize < 800KB }"

Search for malware with an exact search

Invoke-FalconMalQuery -FilterMeta sha256, type, size -FilterFiletype pe32, pe64 -MaxSize 1200KB -MinDate 2017/01/01 -Limit 20 -Type hex -Value 8948208b480833ca33f989502489482889782c8bd7

Search for malware with a fuzzy search

Invoke-FalconMalQuery -Limit 3 -Type ascii -Value ".8@bVn7r&k" -Fuzzy

2023-04-25: PSFalcon v2.2.5

Invoke FalconMalQuery - CrowdStrike/psfalcon GitHub Wiki

Invoke-FalconMalQuery

SYNOPSIS

DESCRIPTION

PARAMETERS

SYNTAX

REFERENCE

Endpoints

falconpy

USAGE

Schedule a YARA search with hunt

Search for malware with an exact search

Search for malware with a fuzzy search

⚠️ GitHub.com Fallback ⚠️

Invoke FalconMalQuery - CrowdStrike/psfalcon GitHub Wiki

Invoke-FalconMalQuery

SYNOPSIS

DESCRIPTION

PARAMETERS

SYNTAX

REFERENCE

Endpoints

falconpy

USAGE

Schedule a YARA search with hunt

Search for malware with an exact search

Search for malware with a fuzzy search

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️