CrowdStrike Falcon® Sandbox is an automated malware analysis solution that empowers security teams by overlaying comprehensive threat intelligence with the results of the world’s most powerful sandbox solution. This unique combination provides context, enabling analysts to better understand sophisticated malware attacks and tune their defenses. Falcon Sandbox performs deep analysis of evasive and unknown threats, enriches the results with threat intelligence, and delivers actionable indicators of compromise (IOCs). Falcon Sandbox enables cybersecurity teams of all skill levels to increase their understanding of the threats they face and use that knowledge to defend against future attacks.
CrowdStrike Falcon® Sandbox FAQ
Want to see CrowdStrike Falcon® Sandbox in action? Start with a free trial
Hybrid analysis is a file analysis approach that combines runtime data with memory dump analysis to extract all possible execution pathways even for the most evasive malware. The combination of hybrid analysis and extensive pre- and post-execution analysis delivers a unique capability, resulting in the extraction of more IOCs than any other competing sandbox solution. All data extracted from the hybrid analysis engine is processed automatically and integrated into the malware analysis reports.
Hybrid-Analysis.com is a free online malware analysis community enabling users to submit files for free in-depth analysis. In addition, users can search thousands of existing malware reports or download samples and IOCs via the website and well-documented REST API.
Hybrid-Analysis is an independent service, powered by Falcon Sandbox, and is a great way to evaluate the Falcon Sandbox technology. Hybrid Analysis provides a subset of Falcon Sandbox capabilities. The following chart highlights a few of the differences:
| Feature | Hybrid-Analysis.com | Falcon Sandbox |
| DETONATION ENVIRONMENTS | ||
| Windows 7 (32/64) |
✓ |
✓ |
| Windows 10 | ✓ | |
| Ubuntu 16 (64) | ✓ | ✓ |
| FILE SUBMISSIONS | ||
| Max file submissions per month | Up to 30 as Guest | Up to 25,000 |
| Analyze Files/Archives | ✓ | ✓ |
| Analyze URLs | ✓ | ✓ |
| Submission without re CAPTCHA | ✓ | |
| Re-analyze extracted files | ✓ | |
| DOWNLOADS | ||
| Binary Samples/PCAPS | ✓ | ✓ |
| MAEC, STIX, MISP, OpenIOC | ✓ | ✓ |
| PDF, JSON, HTML | ✓ | |
| REPORT FEATURES | ||
| Risk view summary and verdict | ✓ | ✓ |
| View all malicious/suspicious indicators (IOCs) | ✓ | |
| View all network IDS rule triggers | ✓ | |
| Full privacy for your reports | ✓ | |
| INTEGRATION | ||
| CrowdStrike Intel integration (attribution, IOCs, IDS, YARA) | ✓ | |
| Falcon MalQuery Integration | ✓ | ✓ |
| REST API for file submissions and search | ✓ | ✓ |
| Support for SOAR tools (e.g Phantom, Demisto) | ✓ |
Yes, files submitted to Falcon Sandbox are private. All submitted files and associated reports are stored and maintained in the highly secure Falcon platform.
Authors of modern malware are aware of sandbox technology and have instrumented their malware to either stop or hide malicious activity when it detects an external process monitoring the file. Traditional, first-generation sandbox monitors run at the application layer (user mode) to intercept system library calls, which are easily detected. Falcon Sandbox implements monitoring at the operating system level (kernel mode) leaving the target process untouched, making it very difficult to detect. The Falcon Sandbox kernel mode monitor has proven to be robust and extremely effective against “in the wild” and most current malware samples. CrowdStrike’s world-class anti-sandbox and anti-VM detection technology (illustrated by benchmark tools such as Pafish or VMDE) enables analysis of most evasive malware. CrowdStrike is constantly updating Falcon Sandbox to stay ahead of new evasion techniques and verifies its performance with in-house benchmark tools and the public community offering Hybrid-Analysis.com that is field-tested every day.
Falcon Sandbox scales automatically. You can easily process up to 25,000 files per month with the appropriate license. This level of scalability is provided without any infrastructure costs to you.
The Falcon Sandbox supports PE files (.exe, .scr, .pif, .dll, .com, .cpl, etc.), Office (.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub), PDF, APK, executable JAR, Windows Script Component (.sct), Windows Shortcut (.lnk), Windows Help (.chm), HTML Application (.hta), Windows Script File (*.wsf), Javascript (.js), Visual Basic (*.vbs, *.vbe), Shockwave Flash (.swf), Perl (.pl), Powershell (.ps1, .psd1, .psm1), Scalable Vector Graphics (.svg), Python (.py) and Perl (.pl) scripts, Linux ELF executables, MIME RFC 822 (*.eml) and Outlook *.msg files.
You can upload archives with or without a password: ace, arj, 7z, bzip2, gzip2, iso, rar, rev, tar, wim, xz and zip. If you use a password, the typical, “infected,” password is required.
Falcon Sandbox enables users to take control by providing the ability to configure settings to determine how malware is detonated. These options include setting the date/time, environmental variables, setting command line options, providing passwords for PDF/Office prompts and more. In addition, you can select from many “action scripts” that will mimic user behavior (such as mouse clicks and movement, keyboard entry, etc.) during detonation to help expose malware attempting to hide from sandbox technology.
Behavioral indicators, similar to indicators of attack (IOAs), define high-risk activity or a series of activities taken in sequence that can be considered potentially malicious. Examples include adding an entry to an autostart registry, changing a firewall setting, writing a known ransomware file to disk or sending data on unusual ports. Behavioral indicators provide a more complete view into the potential risk of the file and are used to identify previously unknown threats. Falcon Sandbox includes more than 700 generic behavioral indicators, which are constantly being updated and expanded.
Falcon Sandbox supports Windows Desktop XP, Vista, 7, 8, 10 (32 and 64 bit) and Ubuntu/RHEL Linux (32 and 64 bit). We also support static file analysis for Android APK files.
Falcon Sandbox reports include an incident response summary, links to related sandbox analysis reports, many IOCs, actor attribution, recursive file analysis, file details, screenshots of the detonation, runtime process tree, network traffic analysis, extracted strings and IP/URL reputation lookups. In addition, reports are enriched with information from AlienVault OTX, VirusTotal and by CrowdStrike Intelligence, providing threat actor attribution, related samples and more. In addition, you can review CrowdStrike’s Falcon Sandbox reports for examples.
Yes, Falcon Sandbox provides a variety of search options, including the ability to combine search terms. You can search for a virus family name, threat actor, specific file type, hash, #tag and whether a specific behavioral indicator was triggered. You can even find reports that have contacted a specific IP address, country, domain, URL and much more.
Recursive analysis is a unique capability that determines whether the analyzed file is related to a larger campaign, malware family or threat actor. Falcon Sandbox will automatically search the industries largest malware search engine to find related samples and within seconds expand the analysis to include all files. This is important because it provides analysts with a deeper understanding of the attack and a larger set of IOCs that can be used to better protect the organization.
Falcon Sandbox is licensed on a subscription basis, based upon the number of files analyzed by Falcon Sandbox per month.
For more information, please contact us.