MAC ADVANCED TESTING
Note that these commands will make temporary changes to the machine in order to demonstrate real world examples. However, they do not use live malware.
1. Defense Evasion Techniques
This detection illustrates Falcon’s ability to respond to malicious behaviors with IOAs. An Indicator of Attack or IOA, represents a series of actions that an application or adversary must conduct during a successful attack. IOAs are concerned with the execution of these steps, the intent of the adversary and the outcomes that adversary is trying to achieve. This is superior to using Indicators of Compromise (IOCs) or signatures because it allows Falcon Prevent to block new and unknown threats.
This specific command makes a copy of whoami with the pdf extension and then executes it. Changing the extension of an existing tool will trigger a Falcon detection for masquerading. The command includes a removal of the file so no additional clean up or reversal is needed.
a. Open a terminal
b. Type or copy and paste this command:
cd ~/Desktop; cp /usr/bin/whoami whoami.pdf; ./whoami.pdf; rm whoami.pdf
c. Next, go to the Falcon UI and navigate to Activity > Detections. You should see a new alert, which indicates that the malicious activity was detected.
2. DNS Exfil Detection
This detection is another example of Falcon’s use of IOA’s.
Data exfiltration (aka “data extrusion”) is the unauthorized transfer of data from a host. The transfer of data can be accomplished manually by someone with physical access or automated, carried out through malware over a network. The contents of this script show transfering (exfiltration) of a fake file over a DNS request covert channel.
For the next example, you will need to download a script file that helps illustrate data exfiltration. The script creates ten temporary files, zips them into one package and outputs a hex dump of those files. It removes all of the temporary files so that no additional clean up is required following the test.
a. To download the file, follow the steps below.
Initiate the download using this link.
Click “Download” in the top right corner of the window.
b. Set permissions on the script by navigating to the directory where the script is stored and run the following command to set executable permissions. (The example shown specifies the default “Downloads” folder.)
chmod +x dns-exfil.sh
c. In the same window, run the command below to execute the script. You will see additional activity in the terminal windows as the script runs.
After the script runs successfully, you can close the terminal session.
d. Switch back to the Falcon UI and go to Activity > Detections and see that there is a new Detection event with the Tactic & Technique “Exfiltration via Exfiltration Over Alternative Protocol”.