How CrowdStrike Falcon Prevents Infection and Spread of the Destructive NotPetya Attack
Petwrap is an especially nasty piece of malware. As it not only encrypts the local machine, but it also dumps credentials from that machine and uses them to spread across the network to other machines.
For our first demo, we have configured two systems on the same network, neither of which is being protected by CrowdStrike Falcon. Let's watch how Petwrap is executed on the first machine, and then spreads throughout the network to the second machine.
For the sake of time, we're going to speed things up a bit. Watch the counter at the bottom of the screen, right at the 10 minute mark, as the originally infected machine reboots and Petwrap encrypts its hard drive. Just seconds later, the second machine also reboots and Petwrap encrypts its hard drive and displays its ransom note.
Now, let's find out what exactly happened on these machines. We installed CrowdStrike Falcon on the second machine, the one that Petwrap spread to via the network. We configured CrowdStrike Falcon so it would be in detect only mode, meaning it recorded all of Petwrap's actions without actually stopping it.
First, we can see that Petwrap copied itself into the Windows directory off the machine, and then executed while rundll32. Just like I did manually on the first system.
We can then see that it also dumped and executed a file called [? 6bdc.tmp. ?] This file is the credential dumping tool, which is very similar to the known mimikatz credential dumping tool.
When we switch over to the process tree view, we can see that CrowdStrike Falcon also recorded activities not necessarily malicious, but associated with this attack. In this case, Petwrap used the Windows Task Scheduler to schedule the reboot of the system, which then triggered the encryption and display of the ransom note.
OK, this was a great overview. We have a better understanding of how Petwrap actually works. But now, the big question is, can CrowdStrike Falcon actually stop this thing? Well, lets go and take a look.
For our second demo, we're using the same two systems as before. But this time, we switch CrowdStrike Falcon from detection only to prevention mode on the second system. Petwrap gets executed on the first system again. And for the sake of time, we will speed things up so that no one needs to sit and watch paint dry while Petwrap tries to take over my network.
As you can see, the first box without CrowdStrike Falcon installed does it get infected and encrypted, just like the first time. But the second box this time, shows no activity, is not rebooting, and is not getting infected.
Let's take a look at the UI and see what was recorded this time. CrowdStrike Falcon detected and prevented Petwrap's attempt to spread throughout the network and execute on the second machine. It blocked it's execution, and no harm was done to the system.
The question is now, what happens when you execute Petwrap directly on the CrowdStrike Falcon protected system? Well, let's take a look.
We copied Petwrap right onto the system, and we'll try to execute it again while rundll32. As you can see, this time, we get an access denied message. And when we go back into the Falcon UI, we can expand the view. And we can see that CrowdStrike Falcon has prevented the execution of Petwrap.
To summarize, we showed you how CrowdStrike Falcon uses its EDR recording capabilities to give us details on how Petwrap behaves when you let it go wild. Then, we showed you that CrowdStrike Falcon and its preventions can not only stop the initial execution and infection of the system, but it can also prevent the spreading and infection [INAUDIBLE] of the network.
Thank you for watching, and please come and visit us at crowdstrike.com.