Note that these commands will make temporary changes to the machine in order to demonstrate real world examples. However, they do not use live malware.
1. Defense Evasion Techniques
This detection illustrates Falcon’s ability to respond to malicious behaviors with IOAs. An Indicator of Attack or IOA, represents a series of actions that an application or adversary must conduct during a successful attack. IOAs are concerned with the execution of these steps, the intent of the adversary and the outcomes that adversary is trying to achieve. This is superior to using Indicators of Compromise (IOCs) or signatures because it allows Falcon Prevent to block new and unknown threats.
This specific command makes a copy of whoami with the pdf extension and then executes it. Changing the extension of an existing tool will trigger a Falcon detection for masquerading. The command includes a removal of the file so no additional clean up or reversal is needed.
a. Open a terminal
b. Type or copy and paste this command:
cd ~/Desktop; cp /usr/bin/whoami whoami.pdf; ./whoami.pdf; rm whoami.pdf
c. Next, go to the Falcon UI and navigate to Activity > Detections. You should see a new alert, which indicates that the malicious activity was detected.
2. Credential Theft DetectThis detection is another example of Falcon’s use of IOA’s.
Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. This allows the adversary to assume the identity of the account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.
Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
The command listed below will query the 'shadowhash' for a user via terminal. This command could be used on a MacOS host to gather information used to decrypt passwords. No clean up is needed on the system after executing this command.
a. Open a terminal
b. Type or copy and paste this command:sudo dscl . read /Users/$USER dsAttrTypeNative:ShadowHashData
c. Switch back to the Falcon UI and go to Activity > Detections and see that there is a new Prevention event with the Tactic & Technique “Credential Access via Credential Dumping”. The green checkmark indicates that this activity was successfully blocked.
3. DNS Exfil BlockThis detection is another example of Falcon’s use of IOA’s.
Data exfiltration (aka “data extrusion”) is the unauthorized transfer of data from a host. The transfer of data can be accomplished manually by someone with physical access or automated, carried out through malware over a network. The contents of this script show transfering (exfiltration) of a fake file over a DNS request covert channel.
For the next example, you will need to download a script file that helps illustrate data exfiltration. The script creates ten temporary files, zips them into one package and outputs a hex dump of those files. It removes all of the temporary files so that no additional clean up is required following the test.
a. To download the file, follow the steps below.
Initiate the download using this link.
Click “Download” in the top right corner of the window.
b. Set permissions on the script by navigating to the directory where the script is stored and run the following command to set executable permissions. (The example shown specifies the default “Downloads” folder.)
chmod +x dns-exfil.sh
c. In the same window, run the command below to execute the script. You will see additional activity in the terminal windows as the script runs../dns-exfil.sh After the script runs successfully, you can close the terminal session.
d. Switch back to the Falcon UI and go to Activity > Detections and see that there is a new Prevention event with the Tactic & Technique "Exfiltration via Exfiltration Over Alternative Protocol".