Your Falcon trial allows you to test malware samples and advanced attack techniques. This is an optional step for your evaluation, demonstrating how Falcon Prevent protects your environment.
20 mins depending on the amount of testing you wish to conduct.
Typical device, Mac or Windows OS and Google Chrome browser
In this next section you will walk through testing scenarios with actual malware. You should NOT conduct these tests on your laptop or workstation, but rather in a dedicated malware testing environment. To facilitate this, the CloudShare virtual environment ensures that malware testing happens completely outside of your organization. The lab and this guide focus solely on Falcon Prevent which is our anti-virus solution.
Cloudshare is a cloud-based Windows lab environment where you can safely conduct live tests. If you already have a secure malware testing lab, you can also test Falcon Prevent there. The steps in this guide are written to allow testing in our lab or in yours.
This process might take a few minutes to complete. Feel free to minimize the download window and proceed with the sensor download and install from step 2.
Once you have the sensor installed with prevention policies enabled, you are ready to test with live samples. You can choose from the following tests: Malware | Ransomware | PowerShell | Persistence | Phishing Attack | Application Management.
CrowdStrike Falcon uses an Indicator of Attack or IOA, to represent a series of actions that an attacker must conduct during a successful attack. IOAs are concerned with the execution of these steps, the intent of the adversary, and the outcomes that adversary is trying to achieve. This allows Falcon Prevent to identify and block new and unknown threats based on the tactics, techniques, and procedures used by the attacker.
Without Falcon Prevent on this system, a command prompt would have appeared, giving the attacker full system access (NT AUTHORITY\SYSTEM). This is an example of attacker behavior that does not use malware and is commonly missed by legacy AV solutions. Falcon Prevent stopped this persistence mechanism even though no malware was used.
In both of these examples, no malware was used. These are examples of file-less attacks. Falcon Prevent identified a behavior that was suspicious and protected the user. This is an example of the power of IOAs. IOAs identify malicious behavior – no matter how it is delivered.
CrowdStrike Falcon uses an Indicator of Attack or IOA, to represent a series of actions that an attacker must conduct during a successful attack. IOAs are concerned with the execution of these steps, the intent of the adversary, and the outcomes that adversary is trying to achieve. This allows Falcon Prevent to identify and block new and unknown threats based on the tactics, techniques, and procedures used by the attacker.
Falcon Prevent allows you to manually block or allow applications based on your organization’s unique needs.
Managing your hash policy can be done directly from a detection. This means, if a detection is created for a malicious file, it can immediately be added to the blacklist using the “Execution Details” pane on the right of the selected alert. Simply click the “Update Hash Policy” button for the selected hash and make changes. The same is true if a custom application is causing false alerts and needs to be added to the whitelist.
These commands will make temporary changes to the machine in order to demonstrate real world examples. However, they do not use live malware. You can also conduct testing scenarios with actual malware in the Windows-based CloudShare virtual environment. The guide for this can be found under the Windows tab.
This detection illustrates Falcon’s ability to respond to malicious behaviors with IOAs. An Indicator of Attack or IOA, represents a series of actions that an application or adversary must conduct during a successful attack. IOAs are concerned with the execution of these steps, the intent of the adversary and the outcomes that adversary is trying to achieve. This is superior to using Indicators of Compromise (IOCs) or signatures because it allows Falcon Prevent to block new and unknown threats. This specific command makes a copy of whoami with the pdf extension and then executes it. Changing the extension of an existing tool will trigger a Falcon detection for masquerading. The command includes a removal of the file so no additional clean up or reversal is needed.
This detection is another example of Falcon’s use of IOA’s. Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. This allows the adversary to assume the identity of the account, with all of that account’s permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.
Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information. The command listed below will query the ‘shadowhash’ for a user via terminal. This command could be used on a MacOS host to gather information used to decrypt passwords. No clean up is needed on the system after executing this command.
This detection is another example of Falcon’s use of IOA’s. Data exfiltration (aka “data extrusion”) is the unauthorized transfer of data from a host. The transfer of data can be accomplished manually by someone with physical access or automated, carried out through malware over a network. The contents of this script show transfering (exfiltration) of a fake file over a DNS request covert channel.
In the previous sections, we have seen that Falcon Prevent is lightweight and easy to install and manage.
In this section, we saw that Falcon Prevent can protect users from all types of attacks; from the commodity malware attack to more complex phishing. We have even seen Falcon prevent tactics that are typically indicative of targeted attacks that leverage tools like PowerShell.
Being fast, simple, and effective is great, but if the solution doesn’t provide ways to easily handle alerts and triage events you only trade one problem for another.
Your feedback is highly appreciated and will help us to improve our ability to serve you and other users of our web sites. Please send feedback about this section of the trial guide to falcontrial@crowdstrike.com.