How CrowdStrike Stops Malicious PowerShell Downloads

Hello, and welcome to this video in which we will demonstrate how CrowdStrike’s Falcon Host identifies and blocks malicious PowerShell activity based on how it is launched, and how it behaves. This allows Falcon Host to detect and block this kind of attack regardless of its delivery method or obfuscation.

On my desktop I have a malicious Word document that when opened executes a PowerShell command to download the TrickBot malware. But instead of getting infected with the malware, I see an error message that shows that the execution of the script has failed. The reason for that is that my system was protected by Falcon Host, and the malicious PowerShell script never got to the execution of its payload.

Let’s take a quick look at the Falcon UI to see what a detection like this looks like. When we open the process tree of our detection, we can see that command dot exe tried to launch out of our Word document, and Falcon Host prevented that execution. Looking at the details of the command that was supposed to run, we can see the PowerShell command and its malicious payload download.

Because Falcon Host detected the malicious nature of the PowerShell command based on its parameters, it doesn’t matter whether this attack was delivered through a Word document, a malicious web site, a JavaScript, or any other delivery method.

Thank you for watching.