How Falcon Prevents Script-based and Other Fileless Attacks

Introduction

Fileless and script based attacks are on the rise.  The growth in this area is attributed to their avoidance capability.  These attacks avoid detection by traditional AV solutions.  In an article written by pentestlab.blog the author illustrates how a simple script in a widely available tool, can bypass security measures.  In this article we’ll illustrate Falcon using multiple detection capabilities to prevents script-based attacks.

Video

Prerequisites

For this article we’ve replicated the script used in the blog.  Then we’ll attempt to run the script on host protected by Falcon.  To do this, I used an updated version of Kali linux and a host running Windows 7.

Step 1: Generate a Certificate

The script generated is an encoded powershell command that establishes an encrypted connection from the target back to the attacker.  This encryption prevents a HIPS system from inspecting the packets.

The following steps are directly from the blog posted by pentestlab.blog

To generate a certificate for the encrypted channel I used the Metasploit module, impersonate_ssl and choose a common domain to impersonate.  Once complete verify that the file generated is on the desktop.

generate a cert

 

 

 

 

 

 

 

 

 

 

Step 2: Configure the Listener

This step isn’t in the same order as the original article but the accomplishes the goal.  Once the payload is executed (I’ll create the payload in the next step) an encrypted session between the victim and attacker will be created.  This will prevent HIPS from inspection, and any protection it may have provided.

configure the handler

Step 3: Generate a Payload

Metasploit MsfVenom is used to generate a payload.  In this case the payload is an encrypted PowerShell script.  This payload leverages the certificate generated in step 1.

Payload generation

How Falcon Protects Against Script-based Attacks

The Falcon Platform is a single agent with multiple functionality.  In this scenario I’ll use the Falcon Prevent capabilities to identify what this threat is trying to accomplish.

In the alert below we see a process tree to get a clear idea of how this attack works and what it’s trying to accomplish.  We can see that explorer.exe launches a command prompt and in that command prompt we see the command line opens the batch script created in Metasploit.

detection step 1

Looking at the next two step we see that the new command prompt calls PowerShell and then runs an encoded command.  The subsequent PowerShell process is the same encoded process running.

Detection step 2

Finally, the last process is the attempted execution of the encoded script.  In this instance there are 3 separate behaviors that are suspicious, although Falcon only needs one to prevent.  The green text indicates a suspicious process was identified and prevented.  Next Falcon recognizes that there was an encoded command in PowerShell and this is suspicious.  Finally the presence of Metasploit’s meterpreter is identified and was loaded into a process.

On the right, in the details pane, we get additional information on what the script was trying to accomplish.  The network operations section identifies the attacker server and that communications were over port 443.  In the Disk Operations a list of all the DLLs and files read, and written to disk, are available for further investigation.

Detection step 3

Conclusion

Script based and other fileless attacks are on the rise because they can avoid detection by both new and old detection capabilities.  CrowdStrike utilizes many types of detections methods to both identify and stop the broad range of attack vectors utilized today.

More resources

 

Stop Breaches with CrowdStrike Falcon request a live demo