Engineering & Tech

In the first part of this series, we provided a brief overview of the Windows Restart Manager. In this blog post, we examine how these mechanisms can be exploited by adversaries and review how the Cro[…]

Malware utilizes a multitude of techniques to avoid detection, and threat actors are continuously uncovering and exploiting new methods of attack. One of the less common techniques includes the exploi[…]

CrowdStrike data scientists describe a new similarity paradigm to organize information and make it accessible, searchable and mappable The new similarity-based mapping of cybersecurity data associates[…]

Machine learning explainability ensures that AI models are transparent, trustworthy and accurate Explainability enables data scientists to understand how and why an AI model arrived at a particular de[…]

The CrowdStrike Falcon® platform leverages similarity search at scale to drive up efficacy PowerShell-based attacks are on the rise and many malware authors save time and effort by using artificial in[…]

CrowdStrike releases a free tool for data scientists for porting TensorFlow machine learning models to Rust pure safe code The tool, named tf2rust, enables data scientists to create leaner machine lea[…]

In a previous post, our team shared our Three Best Practices for Building a High-Performance Graph Database. That was written two years ago, when CrowdStrike Threat Graph® was processing billions of e[…]

In Part 1, we explained what Intel SGX enclaves are and how they benefit ransomware authors. In Part 2, we explore a hypothetical step-by-step implementation and outline the limitations of this method[…]

This is the fourth blog post in a four-part series. Read Part 1 | Part 2 | Part 3. In Part 3, CrowdStrike's Endpoint Protection Content Research Team covered the finer points of Input/Output Control ([…]

Intel SGX technology enables developers to isolate and encrypt a portion of code and data in the processor and memory in a trusted execution environment, known as an enclave. As enclaves are increasin[…]

This is the third blog post in a four-part series. Read Part 1 | Part 2 | Part 4. In Part 1 of this four-part blog series examining wiper malware, the CrowdStrike Endpoint Protection Content Research […]

This is the second blog post in a four-part series. Read Part 1 | Part 3 | Part 4. In Part 1 of this four-part blog series examining wiper malware, we introduced the topic of wipers, reviewed their re[…]

This is the first blog post in a four-part series. Read Part 2 | Part 3 | Part 4. This blog post is the first in a four-part series in which CrowdStrike’s Endpoint Protection Content Research Team wil[…]

CrowdStrike is always looking for innovative ways to improve detection content for our customers. We believe a multifaceted approach that combines customer input, standardized testing and internal res[…]

Modern Spark Pipelines are a powerful way to create machine learning pipelines Spark Pipelines use off-the-shelf data transformers to reduce boilerplate code and improve readability for specific use c[…]

A novel technique that reduces the overhead in extracting sensitive data from Chromium browser’s memory was recently found by researchers from CyberArk Labs Existing access to the targeted system is r[…]

CrowdStrike combines the power of the cloud with cutting-edge technologies such as TensorFlow and Rust to make model training hundreds of times faster than traditional approaches CrowdStrike continuou[…]

According to CrowdStrike research, Mirai malware variants compiled for Intel-powered Linux systems double (101%) in Q1 2022 compared to Q1 2021 Mirai malware variants that targeted 32-bit x86 processo[…]

Ransomware (43% of analyzed threat data), backdoors (35%) and trojans (17%) were the most popular macOS malware categories spotted by CrowdStrike researchers in 2021 OSX.EvilQuest (ransomware), OSX.Fl[…]

The CrowdStrike Security Cloud processes over a trillion events from endpoint sensors per day, but human professionals play a vital role in providing structure and ground truth for artificial intellig[…]

CrowdStrike introduces accelerated memory scanning into the CrowdStrike Falcon® sensor for Windows to enhance existing visibility and detection of fileless threats The Falcon sensor integrates Intel® […]

The Go ecosystem has long relied on the use of third-party libraries for logging. Logrus, one of the first leveled, structured logging libraries, is now maintenance-only and its developers recommend m[…]

Threat actors go to great lengths to hide the intentions of the malware they produce This blog demonstrates reliable methods for extracting information from popular Linux shells Extracted memory infor[…]

In two recent blog posts from the CrowdStrike Software Development Engineers in Test (SDET) team, we explored how end-to-end validation testing and modular testing design could increase the speed and […]

In our last post, Testing Data Flows using Python and Remote Functions, we discussed how organizations can use remote functions in Python to create an end-to-end testing and validation strategy. Here […]

In a recent blog post, Sharding Kafka for Increased Scale and Reliability, the CrowdStrike Engineering Site and Reliability Team shared how it overcame scaling limitations within Apache Kafka so that […]

Virtually every aspect of a modern business depends on having a reliable, secure, real-time, high-quality data stream. So how do organizations design, build and maintain a data processing pipeline tha[…]

Recently, one of our engineering teams encountered what seemed like a fairly straightforward issue: When they attempted to store UUID values to a database, it produced an error claiming that the value[…]

CrowdStrike research finds that 75% of the WebAssembly modules are malicious WebAssembly is an open standard that allows browsers to execute compiled programs Cryptocurrency miners boost efficiency by[…]

The Hybrid Analysis community submits hundreds of thousands of samples for analysis to our systems every day. Those sample submissions mean our CrowdStrike Falcon® Sandbox™ software must do millions o[…]

In a previous blog post, Building on the Shoulders of Giants: Combining TensorFlow and Rust, we laid out our approach of performing hyperparameter tuning and experimenting with known deep learning fra[…]

Introduction While deep neural networks have state-of-the-art performance in many tasks, boosted tree models still often outperform deep neural networks on tabular data. This largely seems to be the c[…]

Many companies choose Apache Kafka for their asynchronous data pipelines because it is robust to traffic bursts, and surges are easily managed by scaling consumers. However, scaling is not helpful whe[…]

How our engineering team overcame scaling limitations and improved reliability in our high-throughput, asynchronous data processing pipeline Apache Kafka is a high-throughput, low-latency distributed […]

Malvertising campaigns delivering Shlayer malware for macOS are still ongoing, despite the patching of a critical zero-day vulnerability (CVE-2021-30657) abused for months to compromise victims by dod[…]

One common challenge facing cloud engineers is how to develop and run tests that are distributed across multiple clusters, teams, environments or services. The use of new technologies, like containeri[…]

The CrowdStrike Services team is excited to announce the release of AutoMacTC 1.2.0 to the community. AutoMacTC was originally released in March 2019 to help incident responders investigate intrusions[…]

ZIP files are a known vector for phishing campaigns, ransomware and other malicious action. Because the format isn’t generally executable (minus self-extracting ZIPs), it hasn’t gotten as much attenti[…]

Why “Alerts as Code” is a winning strategy for system maintenance and analysis While running multiple, independent clouds offers organizations many important benefits such as resiliency, flexibility a[…]

There is a quote from Sun Tzu, “The Art of War,” that remains true to this day, especially in cybersecurity: “Know thy enemy and know yourself; in a hundred battles, you will never be defeated.” At Cr[…]

Vulnerabilities in the kernel mode component have serious implications on endpoint security. Operating systems and independent software vendors have been improving the security of code for years, but […]

Fileless and script-based attacks have been low-hanging fruit for years for adversaries, and their versatility has proved effective in sometimes bypassing traditional static-based antivirus solutions.[…]

Deep learning models have undoubtedly achieved astonishing performance in various fields of machine learning, such as natural language processing, voice recognition and computer vision. The impressive[…]

In our earlier post, Making Threat Graph Extensible: Leveraging a DSL to Improve Data Ingestion (Part 1 of 2), we explored how and why CrowdStrike leverages HCL as a domain-specific language (DSL) in […]

CrowdStrike processes hundreds of billions of events on a daily basis, which are processed by our custom-built CrowdStrike Threat Graph® database, which leverages cutting-edge security analytics to co[…]

WebNavigatorBrowser is a web browser that meets the criteria of adware due to its injecting of ads into search results. The developer based it on Google’s free and open-source browser software project[…]

This blog is intended for malware researchers working to develop signatures detecting malware, and engineers developing infrastructure supporting these signatures. At CrowdStrike, we often leverage ma[…]

The year 2020 has seen an accelerated uptick in eCrime activity, as well as an obvious shift in eCrime adversaries engaging in big game hunting (BGH) operations that involve interactive deployment of […]

We recently integrated new functionality into our CrowdStrike Falcon® sensor that was implemented in Rust. Rust is a relatively young language with several features focused on safety and security. Cal[…]

Any cyberattack can have a significant impact on business operations, but perhaps none are as sophisticated as kernel attacks. Kernel attacks exploit the zero-day operating system vulnerabilities in t[…]

The answer to that question often depends on who you ask. By definition, process herpaderping is a hacking technique in which digital adversaries modify on-disk content after the image has been mapped[…]

The CrowdStrike® Intelligence team recently published its findings on a sophisticated supply chain attack. In a nutshell, the adversary planted a malicious file, dubbed SUNSPOT, on the victim’s build […]

This blog is primarily aimed at software development engineers in test (SDETs) who are testing Java applications, specifically focusing on how they can tackle an encapsulated, tightly coupled project […]

Motivation Deep learning models have been considered “black boxes” in the past, due to the lack of interpretability they were presented with. However, in the last few years, there has been a great dea[…]

In this blog, we present the results of some preliminary experiments with training highly “overfit” (interpolated) models to identify malicious activity based on behavioral data. These experiments wer[…]

After more than a decade, the sun has set on Python 2. Love it or hate it, Python 2.7.18 is the final official release — and to remain current with security patches and continue enjoying all of the ne[…]

GuLoader, a malware family that emerged in the wild late last year, is written in Visual Basic 6 (VB6), which is just a wrapper for a core payload that is implemented as a shellcode. It is distributed[…]

CrowdStrike® employees like to say that there is big data, huge data and our data. To date, we have collected, analyzed and stored more than 15 petabytes of data, generated through hundreds of billion[…]

How to effectively manage client-side partial failures, avoid data loss and process errors Apache Kafka is the gold standard for building real-time data pipelines and streaming apps. Scalable, fault-t[…]

Python is one of the most popular programming languages for data scientists — and for good reason. The Python Package Index (PyPI) hosts a vast array of impressive data science library packages, such […]

Malware in the Scripting Landscape Scripting is a well-known means of spreading malware. Easy to write and often difficult for security solutions to detect, scripts make the perfect tool for attackers[…]

As the new coronavirus, COVID-19, spreads around the planet, many people are filled with emotions like fear, uncertainty and hope — which are the top ingredients for an effective spam campaign. Cyber […]

Machine learning for computer security has enjoyed a number of recent successes, but these tools aren’t perfect, and sometimes a novel family is able to evade file-based detection. This blog walks you[…]

Working with text data (which we often refer to as “strings”) is common in cybersecurity applications. For example, suppose we have a set of command lines associated with malicious activity, and we wa[…]

Red team penetration testers very often add tools to their arsenal that borrow techniques originating in malicious software. Shellter is such a tool. It was inspired by the EPO and polymorphic file-in[…]

While adversaries continue to evolve their cyberattacks, CrowdStrike® scientists and engineers keep pushing the boundaries of what’s achievable in malware detection and prevention capabilities. Some o[…]

Introduction Machine learning is one of the many tools we use at CrowdStrike® to stop breaches. To do it well, we need enormous amounts of data — and also the tools to process all of this data. In a r[…]

My last blog post discussed the rationale for CrowdScore® and outlined its evidence-weighting approach, demonstrating a 10- to 25-fold improvement in the ability to accurately distinguish between mali[…]

Machine learning has demonstrated dramatic effectiveness in a wide range of fields, including computer security. However, machine learning for computer security has its weaknesses. This does not mean […]

At CrowdStrike®, machine learning is a major tool for detecting new malware families and keeping our customers safe. We utilize gradient boosted trees with thousands of features to classify whether a […]

One key building block we use for scaling our machine learning models at CrowdStrike® is Docker containers. Docker containers let us construct application environments with all the dependencies, tools[…]

Following the MITRE ATT&CK™ Evaluation of endpoint detection and response (EDR) solutions, I've heard a lot of confusion surrounding the various terms MITRE used, particularly the terms "detections,” […]

From the very beginning, CrowdStrike® set out on its mission to stop breaches by harnessing the power of the cloud. The cloud has transformed the IT landscape, allowing customers to deploy new service[…]

Over the past three months, CrowdStrike worked closely with VirusTotal (VT), and we are excited to announce the integration of our anti-malware technology as an additional scanner available to the VT […]