The examples in this folder focus on leveraging CrowdStrike's MalQuery API to perform threat hunting operations.
Downloads a specified number of examples from MalQuery that match the search term and type you specify.
Results will be stored in zip archive format with the password of infected.
Warning
Samples downloaded from MalQuery have been confirmed as malware. Handle with extreme caution.
In order to run this demonstration, you will need access to CrowdStrike API keys with the following scopes:
| Service Collection | Scope |
|---|---|
| MalQuery | READ, WRITE |
This example accepts the following input parameters.
| Parameter | Purpose |
|---|---|
-t, --type |
Type of pattern for the query. Select from ASCII, HEX, or WIDE. Defaults to ASCII. |
-v, --value |
The value for malquery to search. |
-f, --file |
Filename to save the downloaded samples to. File will be in zip format. |
-e, --examples |
Number of examples to download. Integer only. |
-k, --key |
Your CrowdStrike Falcon API Client ID |
-s, --secret |
Your CrowdStrike Falcon API Client Secret |
Downloads 3 trickbot samples from MalQuery
python3 malqueryinator.py -v trickbot -f samples.zip -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -e 3Command-line help is available using the -h or --help parameters.
% python3 malqueryinator.py -h
usage: malquery.py [-h] [-t TYPE] -v VALUE -f FILE [-e EXAMPLES] -k KEY -s SECRET
Malquerinator
optional arguments:
-h, --help show this help message and exit
-t TYPE, --type TYPE Type of pattern for the malware query: ascii, hex, or wide
-v VALUE, --value VALUE
Value for malware query of type determined by --t/--type arg
-f FILE, --file FILE Name of file to write to
-e EXAMPLES, --examples EXAMPLES
Number of examples to download
-k KEY, --key KEY Falcon API Client ID
-s SECRET, --secret SECRET
Falcon API Client secretThe source code for this example can be found here.