How Falcon Overwatch Proactively Hunts for Threats in Your Environment

One of the innovative features of Falcon is OverWatch. In this scenario we will assume that an attacker has owned a machine in our network and is going to carry out a standard set of commands to accomplish their goals. Script based attacks and living off of the land attacks are occurring more and more since they are difficult to detect.

Because no malware or specialized tools are used, these attacks often to go undetected by traditional defenses and allow attackers to go unnoticed for an average of 200 days.

In the demo scenario we are going to assume that an attacker has gained access to an organization, this may be through stolen credentials, an un-patched vulnerability, or maybe just a disgruntled employee. At this point he has access to a command prompt and is going to carry out a set of commands that use built-in tools to accomplish his goals.

The first few command are just reconnaissance. The user confirms that he is a standard user and would like to get admin privileges to carry out his ultimate objective. To do this he’ll run an encoded powershell command in memory in an attempt to avoid detection and obfuscate his intentions.

The command is successful and upon further inspection account credentials for a user “admin” have been stored on this machine at some point.

The attacker will then use these stolen credentials to launch PowerShell with admin privileges. The next step for this user is to establish persistence on this machine so that they can come back at a later time if needed.

To do this the attacker will use the task scheduler to create a reoccurring task to change the functionality of the built-in on-screen keyboard to a command prompt. The on-screen keyboard is available to the user without logging in. This gives the attacker access to the machine even if the admin or local user changes their passwords.

Even if it is discovered that the on-screen keyboard has been replaced with a command prompt the scheduled task will change that every morning at 9:00.

To create a secondary way to gain access to this machine our attacker will create an additional user account called “webadmin” and give that user admin rights.

Using built-in tools and stolen credentials our attacker has successfully compromised our organization, stolen credentials and elevated privileges to established persistence through both the scheduled task utility and a secondary user. The techniques are designed to evade detection by a traditional AV solutions.

From an attacker perspective the only thing left to do is carry out his objectives, in this case he’s found a directory of interesting information that he’d like to steal. To do this, he’s create a temporary directory, then he’ll copy the contents of the target directory using a built in microsoft tool to compress the files in a .cab format, a format that avoids detection from most DLP solutions.

Then using at FTP server he exfiltrates the data and deletes any artifacts to avoid alerting anyone to his presence.

Our attacker has done everything he can think of to avoid detections. He’s used legitimate credentials, run encoded commands, and created a user account that looks official. He’s even used built-in tools to avoid downloading suspicious tools that may raise suspicions to his actions.

however what our attacker hasn’t accounted on is Falcon. Using the events app we will run a single search query that will return the command history from our victim host. Within seconds ever command used on the system is displayed, we can even see that the attacker was using encoded powershell commands.

Falcon gives the user full visibility into events on every host managed by CrowdStrike. But how would one know to look at a specific machine as closely as we just did?

This is where Falcon OverWatch becomes an invaluable partner in your security portfolio. The activity from this machine is highly suspicious and caught the attention of the OverWatch team. When events like this are discovered in a customer environment they update the customers detection app with an OverWatch alert. Certain activity may also generate an email or at times a phone call.

in the alert and email the observed behavior will be outlined along with a suggested course of action which often included containment and steps for remediation.

OverWatch is that final layer of protection that is put in place to detect the stealthiest attacks. CrowdStrike’s unique capabilities not only provide the deep visibility to investigate targeted attacks but also provides the innovation may it be algorithm based or human based to filter through the data and alert on important events.

For additional information on Falcon OverWatch go to CrowdStrike.com