Engineering & Tech
Tech Analysis: Channel File May Contain Null Bytes
Key Points CrowdStrike has observed instances internally and in the field in which the content of one or more channel files on disk is all zeroes. This has been observed in the context of a channel fi[…]
EMBERSim: A Large-Scale Databank for Boosting Similarity Search in Malware Analysis
Binary code similarity (BCS) is an important part of training machine learning (ML) models to effectively analyze vast amounts of cybersecurity telemetry. However, BCS has historically focused on find[…]
CrowdStrike Falcon Next-Gen SIEM Unveils Advanced Detection of Ransomware Targeting VMware ESXi Environments
CrowdStrike Falcon® Next-Gen SIEM enables companies to search, investigate and hunt down threats, including detection of advanced ransomware targeting VMware ESXi Initial access to the ESXi infrastruc[…]
CrowdStrike’s Advanced Memory Scanning Stops Threat Actor Using BRc4 at Telecommunications Customer
CrowdStrike’s Advanced Memory Scanning detected BRc4 execution in the wild. CrowdStrike has integrated new indicators of attack (IOAs) for modern endpoint detection and response (EDR) evasion techniqu[…]
The Windows Restart Manager: How It Works and How It Can Be Hijacked, Part 2
In the first part of this series, we provided a brief overview of the Windows Restart Manager. In this blog post, we examine how these mechanisms can be exploited by adversaries and review how the Cro[…]
The Windows Restart Manager: How It Works and How It Can Be Hijacked, Part 1
Malware utilizes a multitude of techniques to avoid detection, and threat actors are continuously uncovering and exploiting new methods of attack. One of the less common techniques includes the exploi[…]
How CrowdStrike Uses Similarity-Based Mapping to Understand Cybersecurity Data and Prevent Breaches
CrowdStrike data scientists describe a new similarity paradigm to organize information and make it accessible, searchable and mappable The new similarity-based mapping of cybersecurity data associates[…]
Cracking the Code of AI Decision Making: Harnessing the Power of SHAP Values
Machine learning explainability ensures that AI models are transparent, trustworthy and accurate Explainability enables data scientists to understand how and why an AI model arrived at a particular de[…]
CrowdStrike’s Artificial Intelligence Tooling Uses Similarity Search to Analyze Script-Based Malware Attack Techniques
The CrowdStrike Falcon® platform leverages similarity search at scale to drive up efficacy PowerShell-based attacks are on the rise and many malware authors save time and effort by using artificial in[…]
CrowdStrike’s Free TensorFlow-to-Rust Conversion Tool Enables Data Scientists to Run Machine Learning Models as Pure Safe Code
CrowdStrike releases a free tool for data scientists for porting TensorFlow machine learning models to Rust pure safe code The tool, named tf2rust, enables data scientists to create leaner machine lea[…]
Spotlight on the Log-Structured Merge (LSM) Tree: One of the Keys Enabling CrowdStrike to Process Trillions of Events per Day
In a previous post, our team shared our Three Best Practices for Building a High-Performance Graph Database. That was written two years ago, when CrowdStrike Threat Graph® was processing billions of e[…]
Playing Hide-and-Seek with Ransomware, Part 2
In Part 1, we explained what Intel SGX enclaves are and how they benefit ransomware authors. In Part 2, we explore a hypothetical step-by-step implementation and outline the limitations of this method[…]
The Anatomy of Wiper Malware, Part 4: Less Common “Helper” Techniques
This is the fourth blog post in a four-part series. Read Part 1 | Part 2 | Part 3. In Part 3, CrowdStrike's Endpoint Protection Content Research Team covered the finer points of Input/Output Control ([…]
Playing Hide-and-Seek with Ransomware, Part 1
Intel SGX technology enables developers to isolate and encrypt a portion of code and data in the processor and memory in a trusted execution environment, known as an enclave. As enclaves are increasin[…]
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
This is the third blog post in a four-part series. Read Part 1 | Part 2 | Part 4. In Part 1 of this four-part blog series examining wiper malware, the CrowdStrike Endpoint Protection Content Research […]
The Anatomy of Wiper Malware, Part 2: Third-Party Drivers
This is the second blog post in a four-part series. Read Part 1 | Part 3 | Part 4. In Part 1 of this four-part blog series examining wiper malware, we introduced the topic of wipers, reviewed their re[…]
The Anatomy of Wiper Malware, Part 1: Common Techniques
This is the first blog post in a four-part series. Read Part 2 | Part 3 | Part 4. This blog post is the first in a four-part series in which CrowdStrike’s Endpoint Protection Content Research Team wil[…]
Improving CrowdStrike Falcon® Detection Content with the Gap Analysis Team
CrowdStrike is always looking for innovative ways to improve detection content for our customers. We believe a multifaceted approach that combines customer input, standardized testing and internal res[…]
A Deep Dive into Custom Spark Transformers for Machine Learning Pipelines
Modern Spark Pipelines are a powerful way to create machine learning pipelines Spark Pipelines use off-the-shelf data transformers to reduce boilerplate code and improve readability for specific use c[…]
CrowdStrike Falcon® Stops Modern Identity-Based Attacks in Chrome
A novel technique that reduces the overhead in extracting sensitive data from Chromium browser’s memory was recently found by researchers from CyberArk Labs Existing access to the targeted system is r[…]
How CrowdStrike Achieves Lightning-Fast Machine Learning Model Training with TensorFlow and Rust
CrowdStrike combines the power of the cloud with cutting-edge technologies such as TensorFlow and Rust to make model training hundreds of times faster than traditional approaches CrowdStrike continuou[…]
Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1 2022
According to CrowdStrike research, Mirai malware variants compiled for Intel-powered Linux systems double (101%) in Q1 2022 compared to Q1 2021 Mirai malware variants that targeted 32-bit x86 processo[…]
macOS Malware Is More Reality Than Myth: Popular Threats and Challenges in Analysis
Ransomware (43% of analyzed threat data), backdoors (35%) and trojans (17%) were the most popular macOS malware categories spotted by CrowdStrike researchers in 2021 OSX.EvilQuest (ransomware), OSX.Fl[…]
How Human Intelligence Is Supercharging CrowdStrike's Artificial Intelligence
The CrowdStrike Security Cloud processes over a trillion events from endpoint sensors per day, but human professionals play a vital role in providing structure and ground truth for artificial intellig[…]
CrowdStrike Falcon® Enhances Fileless Attack Detection with Intel Accelerated Memory Scanning Feature
CrowdStrike introduces accelerated memory scanning into the CrowdStrike Falcon® sensor for Windows to enhance existing visibility and detection of fileless threats The Falcon sensor integrates Intel® […]
A More Modern Approach to Logging in Go
The Go ecosystem has long relied on the use of third-party libraries for logging. Logrus, one of the first leveled, structured logging libraries, is now maintenance-only and its developers recommend m[…]
Programs Hacking Programs: How to Extract Memory Information to Spot Linux Malware
Threat actors go to great lengths to hide the intentions of the malware they produce This blog demonstrates reliable methods for extracting information from popular Linux shells Extracted memory infor[…]
How a Generalized Validation Testing Approach Improves Efficiency, Boosts Outcomes and Streamlines Debugging
In two recent blog posts from the CrowdStrike Software Development Engineers in Test (SDET) team, we explored how end-to-end validation testing and modular testing design could increase the speed and […]
End-to-end Testing: How a Modular Testing Model Increases Efficiency and Scalability
In our last post, Testing Data Flows using Python and Remote Functions, we discussed how organizations can use remote functions in Python to create an end-to-end testing and validation strategy. Here […]
Managing Dead Letter Messages: Three Best Practices to Effectively Capture, Investigate and Redrive Failed Messages
In a recent blog post, Sharding Kafka for Increased Scale and Reliability, the CrowdStrike Engineering Site and Reliability Team shared how it overcame scaling limitations within Apache Kafka so that […]
Unexpected Adventures in JSON Marshaling
Recently, one of our engineering teams encountered what seemed like a fairly straightforward issue: When they attempted to store UUID values to a database, it produced an error claiming that the value[…]
A Principled Approach to Monitoring Streaming Data Infrastructure at Scale
Virtually every aspect of a modern business depends on having a reliable, secure, real-time, high-quality data stream. So how do organizations design, build and maintain a data processing pipeline tha[…]
WebAssembly Is Abused by eCriminals to Hide Malware
CrowdStrike research finds that 75% of the WebAssembly modules are malicious WebAssembly is an open standard that allows browsers to execute compiled programs Cryptocurrency miners boost efficiency by[…]
Improving Performance and Reliability of Internal Communication Among Microservices: The Story Behind the Falcon Sandbox Team’s gRPC Journey
The Hybrid Analysis community submits hundreds of thousands of samples for analysis to our systems every day. Those sample submissions mean our CrowdStrike Falcon® Sandbox™ software must do millions o[…]
Development Cost of Porting TensorFlow Models to Pure Rust
In a previous blog post, Building on the Shoulders of Giants: Combining TensorFlow and Rust, we laid out our approach of performing hyperparameter tuning and experimenting with known deep learning fra[…]
Re-searching Hyperparameters for Training Boosted Tree Models
Introduction While deep neural networks have state-of-the-art performance in many tasks, boosted tree models still often outperform deep neural networks on tabular data. This largely seems to be the c[…]
Addressing Uneven Partition Lag in Kafka
Many companies choose Apache Kafka for their asynchronous data pipelines because it is robust to traffic bursts, and surges are easily managed by scaling consumers. However, scaling is not helpful whe[…]
Shlayer Malvertising Campaigns Still Using Flash Update Disguise
Malvertising campaigns delivering Shlayer malware for macOS are still ongoing, despite the patching of a critical zero-day vulnerability (CVE-2021-30657) abused for months to compromise victims by dod[…]
Sharding Kafka for Increased Scale and Reliability
How our engineering team overcame scaling limitations and improved reliability in our high-throughput, asynchronous data processing pipeline Apache Kafka is a high-throughput, low-latency distributed […]
Testing Data Flows Using Python and Remote Functions
One common challenge facing cloud engineers is how to develop and run tests that are distributed across multiple clusters, teams, environments or services. The use of new technologies, like containeri[…]
CrowdStrike Services Releases AutoMacTC 1.2.0
The CrowdStrike Services team is excited to announce the release of AutoMacTC 1.2.0 to the community. AutoMacTC was originally released in March 2019 to help incident responders investigate intrusions[…]
Preventing Exploitation of the ZIP File Format
ZIP files are a known vector for phishing campaigns, ransomware and other malicious action. Because the format isn’t generally executable (minus self-extracting ZIPs), it hasn’t gotten as much attenti[…]
Grafana Alerting in a Multi-cloud World
Why “Alerts as Code” is a winning strategy for system maintenance and analysis While running multiple, independent clouds offers organizations many important benefits such as resiliency, flexibility a[…]
Know Your Enemy: Exploiting the Dell BIOS Driver Vulnerability to Defend Against It
There is a quote from Sun Tzu, “The Art of War,” that remains true to this day, especially in cybersecurity: “Know thy enemy and know yourself; in a hundred battles, you will never be defeated.” At Cr[…]
CrowdStrike Falcon® Detects Kernel Attacks Exploiting Vulnerable Dell Driver (CVE-2021-21551)
Vulnerabilities in the kernel mode component have serious implications on endpoint security. Operating systems and independent software vendors have been improving the security of code for years, but […]
Blocking Fileless Script-based Attacks Using CrowdStrike Falcon®'s Script Control Feature
Fileless and script-based attacks have been low-hanging fruit for years for adversaries, and their versatility has proved effective in sometimes bypassing traditional static-based antivirus solutions.[…]
Building on the Shoulders of Giants: Combining TensorFlow and Rust
Deep learning models have undoubtedly achieved astonishing performance in various fields of machine learning, such as natural language processing, voice recognition and computer vision. The impressive[…]
Making Threat Graph Extensible: Leveraging the Intermediate Representation to Generate Go Code (Part 2 of 2)
In our earlier post, Making Threat Graph Extensible: Leveraging a DSL to Improve Data Ingestion (Part 1 of 2), we explored how and why CrowdStrike leverages HCL as a domain-specific language (DSL) in […]
Making Threat Graph Extensible: Leveraging a DSL to Improve Data Ingestion (Part 1 of 2)
CrowdStrike processes hundreds of billions of events on a daily basis, which are processed by our custom-built CrowdStrike Threat Graph® database, which leverages cutting-edge security analytics to co[…]
The Rise and Fall of WebNavigatorBrowser: Chromium-based Adware Browser
WebNavigatorBrowser is a web browser that meets the criteria of adware due to its injecting of ads into search results. The developer based it on Google’s free and open-source browser software project[…]
Beefing up the Sandbox (and More): Signature Chaining to Pinpoint More Malware Behaviors
This blog is intended for malware researchers working to develop signatures detecting malware, and engineers developing infrastructure supporting these signatures. At CrowdStrike, we often leverage ma[…]
Press #1 to Play: A Look Into eCrime Menu-style Toolkits
The year 2020 has seen an accelerated uptick in eCrime activity, as well as an obvious shift in eCrime adversaries engaging in big game hunting (BGH) operations that involve interactive deployment of […]
Dealing with Out-of-memory Conditions in Rust
We recently integrated new functionality into our CrowdStrike Falcon® sensor that was implemented in Rust. Rust is a relatively young language with several features focused on safety and security. Cal[…]
Detecting and Preventing Kernel Attacks
Any cyberattack can have a significant impact on business operations, but perhaps none are as sophisticated as kernel attacks. Kernel attacks exploit the zero-day operating system vulnerabilities in t[…]
Herpaderping: Security Risk or Unintended Behavior?
The answer to that question often depends on who you ask. By definition, process herpaderping is a hacking technique in which digital adversaries modify on-disk content after the image has been mapped[…]
Stellar Performances: How CrowdStrike Machine Learning Handles the SUNSPOT Malware
The CrowdStrike® Intelligence team recently published its findings on a sophisticated supply chain attack. In a nutshell, the adversary planted a malicious file, dubbed SUNSPOT, on the victim’s build […]
Testing the Untestable in Java
This blog is primarily aimed at software development engineers in test (SDETs) who are testing Java applications, specifically focusing on how they can tackle an encapsulated, tightly coupled project […]
Seeing Malware Through the Eyes of a Convolutional Neural Network
Motivation Deep learning models have been considered “black boxes” in the past, due to the lack of interpretability they were presented with. However, in the last few years, there has been a great dea[…]
Memorizing Behavior: Experiments with Overfit Machine Learning Models
In this blog, we present the results of some preliminary experiments with training highly “overfit” (interpolated) models to identify malicious activity based on behavioral data. These experiments wer[…]
Python 2to3: Tips From the CrowdStrike Data Science Team
After more than a decade, the sun has set on Python 2. Love it or hate it, Python 2.7.18 is the final official release — and to remain current with security patches and continue enjoying all of the ne[…]
GuLoader: Peering Into a Shellcode-based Downloader
GuLoader, a malware family that emerged in the wild late last year, is written in Visual Basic 6 (VB6), which is just a wrapper for a core payload that is implemented as a shellcode. It is distributed[…]
Three Best Practices for Building a High-Performance Graph Database
CrowdStrike® employees like to say that there is big data, huge data and our data. To date, we have collected, analyzed and stored more than 15 petabytes of data, generated through hundreds of billion[…]
Best Practices: Improving Fault-Tolerance in Apache Kafka Consumer
How to effectively manage client-side partial failures, avoid data loss and process errors Apache Kafka is the gold standard for building real-time data pipelines and streaming apps. Scalable, fault-t[…]
Oh No! My Data Science Is Getting Rust-y
Python is one of the most popular programming languages for data scientists — and for good reason. The Python Package Index (PyPI) hosts a vast array of impressive data science library packages, such […]
CharCNNs and PowerShell Scripts: Yet Another Fight Against Malware
Malware in the Scripting Landscape Scripting is a well-known means of spreading malware. Easy to write and often difficult for security solutions to detect, scripts make the perfect tool for attackers[…]
Malspam in the Time of COVID-19
As the new coronavirus, COVID-19, spreads around the planet, many people are filled with emotions like fear, uncertainty and hope — which are the top ingredients for an effective spam campaign. Cyber […]
Convolutional Neural Networks Are MALE Models for PE Malware
Machine learning for computer security has enjoyed a number of recent successes, but these tools aren’t perfect, and sometimes a novel family is able to evade file-based detection. This blog walks you[…]
Building a String-Based Machine Learning Model to Detect Malicious Activity
Working with text data (which we often refer to as “strings”) is common in cybersecurity applications. For example, suppose we have a set of command lines associated with malicious activity, and we wa[…]
Gimme Shellter
Red team penetration testers very often add tools to their arsenal that borrow techniques originating in malicious software. Shellter is such a tool. It was inspired by the EPO and polymorphic file-in[…]
Large-Scale Endpoint Security MOLD Remediation
While adversaries continue to evolve their cyberattacks, CrowdStrike® scientists and engineers keep pushing the boundaries of what’s achievable in malware detection and prevention capabilities. Some o[…]
How We Use Apache Airflow at CrowdStrike, Part 1
Introduction Machine learning is one of the many tools we use at CrowdStrike® to stop breaches. To do it well, we need enormous amounts of data — and also the tools to process all of this data. In a r[…]
Is Measurable Security Possible?
My last blog post discussed the rationale for CrowdScore® and outlined its evidence-weighting approach, demonstrating a 10- to 25-fold improvement in the ability to accurately distinguish between mali[…]
Hardening Neural Networks for Computer Security Against Adversarial Attack
Machine learning has demonstrated dramatic effectiveness in a wide range of fields, including computer security. However, machine learning for computer security has its weaknesses. This does not mean […]
How CrowdStrike Uses SHAP to Enhance Machine Learning Models
At CrowdStrike®, machine learning is a major tool for detecting new malware families and keeping our customers safe. We utilize gradient boosted trees with thousands of features to classify whether a […]
Using Docker to Do Machine Learning at Scale
One key building block we use for scaling our machine learning models at CrowdStrike® is Docker containers. Docker containers let us construct application environments with all the dependencies, tools[…]
MITRE ATT&CK: Why Detections and Tainted Telemetry are Required for an Effective EDR Solution
Following the MITRE ATT&CK™ Evaluation of endpoint detection and response (EDR) solutions, I've heard a lot of confusion surrounding the various terms MITRE used, particularly the terms "detections,” […]
Taking Security to the Next Level: CrowdStrike Now Analyzes over 100 Billion Events Per Day
From the very beginning, CrowdStrike® set out on its mission to stop breaches by harnessing the power of the cloud. The cloud has transformed the IT landscape, allowing customers to deploy new service[…]
CrowdStrike Machine Learning and VirusTotal
Over the past three months, CrowdStrike worked closely with VirusTotal (VT), and we are excited to announce the integration of our anti-malware technology as an additional scanner available to the VT […]