Malware and Malware-less Attack Testing
Your Falcon Prevent trial also allows you to test live malware samples and advanced attack techniques using a safe, cloud-based Windows lab environment called CloudShare. Details about this lab are included in the email you received after you signed up for the trial.
While this is an optional step for your evaluation, conducting live tests using malware and malware-less attack techniques helps demonstrate how Falcon can protect your environment.
If you already have a secure malware testing lab, you can also test Falcon Prevent there. The steps in this guide are written to allow testing in our lab or in yours.
In this next section you will walk through testing scenarios with actual malware. You should NOT conduct these tests on your laptop or workstation, but rather in a dedicated malware testing environment. To facilitate this, the CloudShare virtual environment ensures that malware testing happens completely outside of your organization.
1. Accessing the cloud-based malware lab
If you already have your own malware lab setup, skip this step and proceed with step 2.
a. Together with your confirmation email for the Falcon Prevent Free Trial, you also received an email from cloudshare.com.
Click on the link in the email and follow the signup instructions to leverage our hosted lab environment.
b. b. Once your signup is complete, you will be able to login to CloudShare and use the environment.
c. Click on the "Malware Lab" tab to access your test machine.
d. When you access it for the first time, click on the "Download Samples" icon on the Desktop. A script will retrieve recent malware, ransomware and even script based attacks and put them into the "Sample Files" folder on your desktop. This process might take a few minutes to complete. Feel free to minimize the download window and proceed with the sensor download and install from step 2.
2. Lab Preparation
Now that you have your test machine ready, it is time to install Falcon Prevent.a. Download and install the Falcon sensor
For sensor installation, please refer to the installation guide.
b. Verify active prevention policy
To test efficacy, the newly installed sensor should have a prevention policy. You can confirm that in the Falcon Interface. Go to Hosts > Host Management and verify that you see your hostname listed. The "Prevention Policy" column should show "platform_default" as the assigned policy.
Run the CrowdStrike prevention test file to validate the policy has been applied correctly. Go to Desktop > Sample Files > Non-Malicious and execute "cs_maltest.exe". With prevention enabled, you will see a message similar to the one below on the client system. This will also generate a detection event in the Falcon Interface.
Once you have the sensor installed with prevention policies enabled, you can begin testing with actual malware.a. In the malware lab, navigate to Sample Files > Malware from the desktop.
We have provided about 25 different malware samples. Use these samples to generate detection events in the Falcon Interface.
1. Run a malware sample from Windows Explorer by double-clicking it. Now navigate back to the Falcon Interface and notice that explorer.exe is the parent process in the process tree. This helps you understand how an attack was executed.
2. Run a sample from a command prompt (cmd.exe). The parent process is now cmd.exe instead of explorer.exe.
3. Use HxD Hex Editor (already installed in the malware lab) to modify the file and change its hash. Then, run the modified sample to see that Falcon Prevent can block unknown malware.
In recent years, ransomware has emerged as one of the most prevalent and problematic malware types. We have collected recent samples of prominent ransomware families like Locky or WannaCry and made them available in your lab. To access them, go to Desktop > Sample Files > Ransomware. Feel free to run any of these ransomware files and see how Falcon Prevent provides complete protection against them.
CrowdStrike Falcon uses an Indicator of Attack or IOA, to represent a series of actions that an attacker must conduct during a successful attack. IOAs are concerned with the execution of these steps, the intent of the adversary, and the outcomes that adversary is trying to achieve. This allows Falcon Prevent to identify and block new and unknown threats based on the tactics, techniques, and procedures used by the attacker.
Navigate to Desktop > Sample Files > IOAs-Behavioral.
Double-click the "Credential_Dumping.bat"batch file. This script will run an encoded powershell command to capture credentials.
Navigate to the Falcon Interface Detections page and inspect the new detection. Notice that the full command line parameters are available in the execution details pane.
In this alert, the process tree immediately shows us that PowerShell was run from a command prompt, that it was identified as Mimikatz, an LSASS process was accessed, and that the command was encoded. On the right in the Execution Details, we can see the full command line argument that was used. No other AV solution provides that level of detail.
Navigate to Desktop > Sample Files > IOAs-Behavioral. Double-click the "Sticky_Keys.bat" batch file. The file will run in a command prompt window. It will secretly modify a registry key that would allow an attacker to login to the machine without ever having to provide a username or password.
Now use the "send ctrl+alt+delete" button on the left hand side of your malware lab screen to bring up the windows lock screen. Click on the "Ease of Access" option in the lower left hand corner and on the screen that pops up, check the box for "Type without the keyboard (On-Screen Keyboard)". Then hit "Apply".
Without Falcon Prevent on this system, a command prompt would have appeared, giving the attacker full system access (NT AUTHORITY\SYSTEM). This is an example of attacker behavior that does not use malware and is commonly missed by legacy AV solutions. Falcon Prevent stopped this persistence mechanism even though no malware was used.
Cancel out of the Windows lock screen and switch back to the Falcon Interface. You will find a new, critical alert under Activity > Detections.
By expanding the new alert, we can see cmd.exe was prevented from launching with system privileges and from bypassing the windows logon process.
Note: In both of these examples, no malware was used. These are examples of file-less attacks. Falcon Prevent identified a behavior that was suspicious and protected the user. This is an example of the power of IOAs. IOAs identify malicious behavior - no matter how it is delivered.
6. Phishing Attack
In this scenario we will simulate a phishing attack by opening an email with a malicious attachment.a. In the malware lab, open Outlook and find our prepared email in the inbox. This phishing attack claims that the user has unpaid charges from a hotel stay.
To learn more, the user is asked to open the attachment by double-clicking "Folio-0701-2017-00873.xls".
Expanding the new alert clearly illustrates that this threat came from Outlook.exe and that the Excel attachment launched PowerShell.
To get even more details as to what PowerShell did, the Execution Details pane shows that PowerShell attempted to run a hidden command and download our malicious script from Github.
7. Application Management
Falcon Prevent allows you to manually block or allow applications based on your organization's unique needs.a. Navigate to Desktop > Sample Files > Non-Malicious
Double-click and run the "Show_a_Hash.exe" application. This application does nothing more than show its own file hash in a command prompt. We will use that hash to blacklist the file and prevent it from running again.
Copy the hash from the Command Prompt or from here: 4e106c973f28acfc4461caec3179319e
Navigate to the Falcon Interface Configuration > Prevention Hashes.
On the right-hand side, click the upload hashes icon, then paste the hash into the window and select "Apply".
In the next window, select the action "Always Block" and select "Apply" again.
Navigate back to the Desktop and close the command prompt window, then double-click "Show_a_Hash.exe" again and notice that it does not run this time.
In the Falcon Interface, navigate to Activity > Detections and inspect the new alert.
TIP: Managing your hash policy can be done directly from a detection. This means, if a detection is created for a malicious file, it can immediately be added to the blacklist using the "Execution Details" pane on the right of the selected alert. Simply click the "Update Hash Policy" button for the selected hash and make changes. The same is true if a custom application is causing false alerts and needs to be added to the whitelist.
In the previous sections, we have seen that Falcon Prevent is lightweight and easy to install and manage. In this section, we saw that Falcon Prevent can protect users from all types of attacks; from the commodity malware attack to more complex phishing. We have even seen Falcon prevent tactics that are typically indicative of targeted attacks that leverage tools like PowerShell. Being fast, simple, and effective is great, but if the solution doesn’t provide ways to easily handle alerts and triage events you only trade one problem for another. In the next section, we will show you how simple it is to triage alerts and manage cases directly in Falcon.