How to Get Five Second Visibility Across Your Organization with CrowdStrike Falcon Endpoint Protection

 

Events recorded by the CrowdStrike Falcon sensor are streamed to the cloud and stored in a graph database. This approach ensures that data is accessible to the administrator even if some systems are offline at the time of the search. It also ensures speed and scalability. The CrowdStrike graph database – known as Threat Graph – is designed to return results for all queries in just seconds, regardless of the size or the amount of data in the database. This architecture allows CrowdStrike Falcon Endpoint Protection to provide deep visibility across your entire environment.

Read Video Transcript

How to Get Five Second Visibility Across Your Organization with Falcon Host Endpoint Protection

In this demo, we’d like to highlight the events app to demonstrate Falcon Host’s new real-time event retrieval for events and advance searches. I’ll start off by just opening a remote desktop session on a host with Falcon Host installed. Once I’m on a target host, I’ll open a command prompt with elevated privileges.

For this demo, I’ll run a handful of commands that are often associated with an attack just to illustrate how quickly, how granular, and just how powerful the searches in Falcon Host can be. I’ll start by changing directories and then running the command who am I.

In the events app in the Falcon UI, we can immediately search for these types of events. This app uses these Splunk query language for those who are familiar with Splunk. And for those who aren’t, our Intel ninjas have created a threat hunting guide with their top search recommendations. Here, we’ll simply query iOS sessions connected or remote desktop sessions launched.

And then in the search results below, we can see the session that we had just created. Since I also ran the command with elevated privileges, we can also query instances where privileges have been elevated by searching UAC exec elevation. Running this query against your organization may uncover instances where privilege escalation is being used inappropriately.

The events app allows users to search on any one of the hundreds of different events that the Falcon Center constantly captures. It’s also able to do this within minutes or even seconds of the event happening on the system. Moving back to the remote desktop session, I’m going to enter a list of commands that could easily be associated with an attack.

First, I’ll launch PowerShell in an attempt to hide all of my actions. Then, I’ll create a directory called x-fill on the desktop. To illustrate the breadth of searchable commands, I’ll create a service called evil service that starts the ping.exe application, perhaps, to check a connectivity to one of my CNC servers. Once that is successful, I’ll download a ZIP utility using a connection to my FTP server. In this case, rar.exe and that will allow me to ZIP and encrypt any documents I’d like to take and, hopefully, DLP detection.

Then, finally, I’ll connect an external USB drive and copy the ZIP files to it. A quick inspection in Explorer shows the zipped file and the mounted E drive. While an attacker probably wouldn’t copy something to a local drive, this is something an insider with malicious intent might do.

In this example, I’ve mimicked a number of techniques that are often used once an attacker finds their way into an organization. Oftentimes, if an attacker has gotten this far, your AV has been of little use. Falcon Host and the events app is a powerful tool for discovering threats or behavior that appear suspicious from either an internal or external actor. Using the PE file written command, we can see the rar.exe file was created.

Using a command search, such as FS volume mounted, can show us that an external drive was also attached to the host. Well, each of the commands I ran could be searched individually. There’s also a powerful search argument that can be used in the events app, the command history argument. Typing command history for a single host will list all the commands associated with a recent attack for the selected time period.

In the search results below, we can easily see each command and get a clear picture of what happened to the owned endpoint. In fact, further inspection, we can even see the passwords used to encrypt the documents. And then towards the end, we can see that they were copied to the E drive.

This is just a small example of how powerful and granular the advanced search capabilities are in the events app. And all this can be done in just a few seconds using Falcon Host.

TECHNICAL CENTER

  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.

Visit the Tech Center