Malware and advanced attack testing

• If you have not done so, reach out to the Falcon Trial Team at FalconTrial@CrowdStrike.com to request access to the virtual malware lab. The lab is hosted by CloudShare.
• You will receive an email invitation from CloudShare. Click the link and follow the prompts to complete your registration.
• Click on the Virtual Malware Lab tab in the navigation bar to access your test machine. Your lab may take a few minutes to upload. Feel free to move to Step 2.

Download malware samples.

Double click Download Samples to download all files. You must Download Samples before installing the Falcon sensor. If you had previously skipped this step, revert your environment to go back to the default state.

To revert your environment:

• Select Environmental Actions > Revert environment
• A script will retrieve all samples and place them into the Sample Files folder on your desktop.
• Type any key inside the script to continue.

Deploy the Falcon sensor

After you've downloaded the samples and before you begin testing, either in your own lab or in the provided virtual environment, you’ll need to deploy sensors on each host and verify sensors are successfully installed and connected to our cloud.

Step-by-step instructions:

• Log into your trial account.
• Select the Falcon Resource Center > Essential skills > “Protect my endpoints” for your operating system. You will be guided through the sensor deployment process.
• For more help on sensor deployment: https://www.crowdstrike.com/free-trial-guide/start-and-install/

Verify active host and prevention policy

• The newly installed sensor should have a prevention policy.
• Confirm on CrowdStrike Falcon platform. Go to Host setup and management > Host management. Verify that you see your hostname CSFALCONPREVENT listed. The Prevention Policy column should show platform_default as the assigned policy.

• Confirm with Windows Security. Look for CrowdStrike Falcon Sensor under Virus & threat protection.

• Let’s test with a non-malicious sample to ensure that the host has a working sensor under the default prevention policy.
• Double click on Sample Files , select Non-Malicious and execute cs_maltest.exe.
• With your default Windows prevention policy, you may see two messages, similar to the ones here, on the client system.

This will also generate a detection on the Falcon Platform.

• Go to Endpoint security > Activity dashboard. The New detections card should show 4 New detections (including 3 sample detections). The Most recent detections card should also show a new High Severity detection.

• Now go to Endpoint security > Endpoint detections. You should see the High severity detection on your Host CSFALCONPREVENT.
• With each test, you will generate a new detection.
• Now that you have the sensor installed with the default prevention policy enabled, you are ready to test with live samples.

Once you have the sensor installed, you can begin testing with actual malware. Malware is software that is meant to harm endpoints like computers, networks, or servers.

• Double click on Sample Files and select Malware to see the malware samples we have provided for you.
• Use these samples to generate detections on the Falcon platform and manage these detections on the Endpoint detections page .

• Run a malware sample from Windows Explorer.
• Double click on any of the malware samples.
• Now navigate back to Endpoints security > Endpoint detections on the Falcon platform Click on the Full detections details icon.
• Notice that explorer.exe is the parent process.
• This helps you understand how an attack was executed.

• Run a sample from a command prompt (cmd.exe).
• Open the command prompt.
• Grab a sample and upload it to the command prompt.
• Navigate to the Endpoint detections page and select the detection. Notice how the parent process for the malware is now cmd.exe.

In recent years, ransomware has emerged as one of the most prevalent and problematic malware types.

We have collected recent samples of prominent ransomware families like Locky and WannaCry and made them available in your lab.

• Let’s start with WannaCry, the ransomware that attacked the National Health Service in 2017.
• Double click Sample Files, select Ransomware then run WannaCry. You should see both Windows and CrowdStrike Falcon Sensor notifications..
• Go back to your Ransomware samples and run Locky.
• Go to the Execution details of the Locky detection. You will be able to see the Action Taken, Tactic & Technique used and other useful information.

Bad actors can use PowerShell maliciously to compromise your system. Let’s take a look at how Falcon uses indicators of attack (IOAs*) to identify and block malicious PowerShell scripts.

• Navigate to Desktop > Sample Files > IOAs-Behavioral.
• Double-click the Credential_Dumping.bat batch file. This script will run an encoded powershell command to capture credentials.
• Navigate to the Endpoint detections page and inspect the new detection.
• In the Execution details pane, find the Command Line detail and make sure that the toggle for Show decoded is on. We can see the full command line argument that was used. No other antivirus (AV) solution provides that level of detail. You can see how this PowerShell script would have downloaded Mimikatz.

Persistence is when a bad actor maintains an undetected presence in a network for a prolonged period of time with the intention to steal information. Let’s take a look at how Falcon uses IOAs* to identify and block bad actors’ attempts to remain hidden.

• Navigate to Desktop > Sample Files > IOAs-Behavioral.
• Double-click the Sticky_Keys.bat batch file.
• The file will run in a command prompt window.
• It will secretly modify a registry key that would allow an attacker to login to the machine without ever having to provide a username or password.
• Use the virtual lab Keyboard and select the “send ctrl+alt+delete” button to bring up the Windows lock screen.
• Click on the Ease of Access option in the lower left hand corner and on the screen that pops up.
• Check the box for Type without the keyboard (On-Screen Keyboard) then hit Apply.

Without Falcon, a command prompt would have appeared, giving the attacker full system access (NT AUTHORITY\SYSTEM). This is an example of attacker behavior that does not use malware and is commonly missed by legacy AV solutions. Falcon stopped this persistence mechanism even though no malware was used.

• You will find a new, critical alert under Most recent detections on your Activity dashboard and on your Endpoint detections page.
• Exit the Windows lock screen and switch back to the Falcon platform.
• By expanding the new alert on the Endpoint detections page, we can see reg.exe was blocked and how the Tactic & Technique is Persistence. See how the IOA Description recommends that you investigate the registry key.