X

Our website uses cookies to enhance your browsing experience.

CONTINUE TO SITE >

EFFICACY

Falcon Prevent provides a major improvement in protection against modern threats on your endpoints. Right out-of-the box you get complete protection against ransomware and other advanced malware. Falcon Prevent also goes far beyond malware by providing protection against file-less attacks, hands-on keyboard activity, exploits, and phishing attacks.

Falcon Prevent has had its efficacy tested by AMTSO member security testing companies and has been certified to replace legacy antivirus solutions. No other next-generation antivirus product participates in as many public, non-paid recurring tests as Falcon Prevent. We have received certifications from SE Labs, AV-Comparatives AV-TEST, and MRG Effitas. These attest to our efficacy, performance and usability.

In this next section you will walk through testing scenarios with a few commands to illustrate the power of the Falcon Agent. You can perform these tests on the same system used in Section 1 - Installation.

Note that these commands will make temporary changes to the machine in order to demonstrate real world examples. However, they do not use live malware.

------------------ Optional Testing Or click here to go to the next Section-----------------------------

Step-by-Step Instructions

*** Warning ***
In this next section you will walk through testing scenarios with a few commands to illustrate the power of the Falcon Agent. You can perform these tests on the same system used in Section 1 - Installation.

Note that these commands will make temporary changes to the machine in order to demonstrate real world examples. However, they do not use live malware.

1. Defense Evasion Techniques

This detection illustrates Falcon’s ability to respond to malicious behaviors with IOAs. An Indicator of Attack or IOA, represents a series of actions that an application or adversary must conduct during a successful attack. IOAs are concerned with the execution of these steps, the intent of the adversary and the outcomes that adversary is trying to achieve. This is superior to using Indicators of Compromise (IOCs) or signatures because it allows Falcon Prevent to block new and unknown threats.

This specific command makes a copy of whoami with the pdf extension and then executes it. Changing the extension of an existing tool will trigger a Falcon detection for masquerading. The command includes a removal of the file so no additional clean up or reversal is needed.

a. Open a terminal

b. Type or copy and paste this command:

cd ~/Desktop; cp /usr/bin/whoami whoami.pdf; ./whoami.pdf; rm whoami.pdf

c. Next, go to the Falcon UI and navigate to Activity > Detections. You should see a new alert, which indicates that the malicious activity was detected.

2. Credential Theft Detect

This detection is another example of Falcon’s use of IOA’s.

Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. This allows the adversary to assume the identity of the account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.

Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

The command listed below will query the 'shadowhash' for a user via terminal. This command could be used on a MacOS host to gather information used to decrypt passwords. No clean up is needed on the system after executing this command.

a. Open a terminal

b. Type or copy and paste this command:

sudo dscl . read /Users/$USER dsAttrTypeNative:ShadowHashData

c. Switch back to the Falcon UI and go to Activity > Detections and see that there is a new Prevention event with the Tactic & Technique “Credential Access via Credential Dumping”. The green checkmark indicates that this activity was successfully blocked.

3. DNS Exfil Block

Data exfiltration (aka “data extrusion”) is the unauthorized transfer of data from a host. The transfer of data can be accomplished manually by someone with physical access or automated, carried out through malware over a network. The contents of this script show transfering (exfiltration) of a fake file over a DNS request covert channel.

For the next example, you will need to download a script file that helps illustrate data exfiltration. The script creates ten temporary files, zips them into one package and outputs a hex dump of those files. It removes all of the temporary files so that no additional clean up is required following the test.

a. To download the file, follow the steps below.

b. Set permissions on the script by navigating to the directory where the script is stored and run the following command to set executable permissions. (The example shown specifies the default “Downloads” folder.)

chmod +x dns-exfil.sh

c. In the same window, run the command below to execute the script. You will see additional activity in the terminal windows as the script runs.

./dns-exfil.sh

After the script runs successfully, you can close the terminal session.

d. Switch back to the Falcon UI and go to Activity > Detections and see that there is a new Prevention event with the Tactic & Technique "Exfiltration via Exfiltration Over Alternative Protocol".

Take-aways

In the previous sections, we have seen that Falcon Prevent is lightweight and easy to install and manage. In this section, we saw that Falcon Prevent can protect users from different types of attacks from credential theft and masquerading to data exfiltration. We have even seen Falcon prevent tactics that are typically indicative of targeted attacks that leverage trusted tools and applications. Being fast, simple and effective is great, but if the solution doesn’t provide ways to easily handle alerts and triage events you only trade one problem for another. In the next section, we will show you how simple it is to triage alerts and manage cases directly in the Falcon UI.

Use Case: Installation

Use Case: Day in the Life