Normal view

There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

Adversary Quest 2022 Walkthrough, Part 3: Four PROTECTIVE PENGUIN Challenges

In July 2022, the CrowdStrike Intelligence Advanced Research Team hosted the second edition of our Adversary Quest. As in the previous year, this “capture the flag” event featured 12 information security challenges in three different tracks: eCrime, Hacktivism and Targeted Intrusion. In each track, four consecutive challenges awaited the players, requiring different skills, including reverse engineering, vulnerability analysis and exploitation, and cryptanalysis.

This blog post describes our intended approach to solving the challenges of the Targeted Intrusion track. In this track the players were asked to analyze new activity by PROTECTIVE PENGUIN, an adversary that has returned since making an appearance in last year’s Adversary Quest.. The objective of PROTECTIVE PENGUIN was described as follows:

The Antarctic-based APT, tracked under the name PROTECTIVE PENGUIN, first appeared last year. This actor is born out of the necessity to protect their Antarctic colonies from discovery. Due to some research of human scientists near undiscovered locations of this sentinel wildlife, PROTECTIVE PENGUIN improved their technological skills and procedures to prevent further discoveries of their black sites and hidden colonies. There is evidence that a special operations team of PROTECTIVE PENGUIN broke into a research facility and compromised computers there. We need you to find out how the actor made it through the security mechanisms and what the compromised servers are all about.

Challenge #1: “FrontDoor”

A new activity cluster around the cyber threat actor known as PROTECTIVE PENGUIN was discovered. We were asked to investigate the cyber activity around a physical breach into a research institute located in the antarctic. The black ops unit that gained physical access to the location by bypassing several security mechanisms is presumably in connection to PROTECTIVE PENGUIN. It is currently assumed that the unit infected unknown air-gapped devices inside the location.

The institute that was breached is protected with smart locks at each door. The actor likely exploited a flaw in the door access controller (reachable at to open doors without a PIN. Please analyze the pin pad for us and reproduce the exploit against the system.

The challenge consists of two scripts: and A quick look reveals that both files are Python scripts, using flask to provide an HTTP web service. The comments at the top of both files indicate that the webservice of is exposed to the network while the web service of is bound to and used by as a backend service.. A comment in indicates that this service communicates with the smart locks to open and close the doors.

Since is not reachable directly, all requests to open any door must go through the application implemented by A quick review of reveals that the web service provides three endpoints to communicate with:

  1. /
  2. /api/door/open
  3. /api/status

The resource / can be fetched via a HTTP GET and will yield a panel to insert a PIN if a proper door_id is provided as a URL parameter (for example /?door_id=42).

The web page and its routine to verify a PIN and open a door can be inspected, for example, with the browser’s built-in Developer Tools. This reveals that clicking the “unlock” button triggers a function that sends the given PIN and the door_id back to — specifically to the endpoint /api/door/open using HTTP POST.

A source code review of the corresponding handler for this endpoint shows that the challenge is not to enter the correct PIN, because that is generated using a secure random number generator:

However, the function reveals something else interesting: the behavior of how the frontend and the backend communicate with each other. If the correct PIN were entered, the would send another HTTP POST request to the backend’s /api/door/open resource, passing the door_id and the uid of the user (the uid is set automatically with a random value).

Therefore, acts as an HTTP reverse proxy if the resource /api/door/open is called with a correct PIN. Similar behavior can be seen in the handler for /api/status in, where even an unauthenticated user can interact with the backend and all request data is passed through unmodified.

As shown by the following source code excerpt of the handler for /api/status (, the request body as well as the headers for the request are controllable by the client by setting the X-Backend-Info header:

The Backend aka.

The backend service is provided by the script A source code review shows that this server provides two endpoints to

  1. /api/door/open 
  2. /api/status

In addition, the script also implements some basic session control where the status of the door is stored for each user:

A request to /api/door/open of the backend will physically open the door and store its new status “unlocked.” As shown in the source code excerpt below, the flag is stored and returned as part of the status if and only if the door_id was 17:

This endpoint does not include any authentication check, but any request must go through the handler — where authentication is implemented as shown above.

The second resource /api/status is used to fetch the status of a door, which is “locked” by default, or the value written by the handler of /api/door/open:

To summarize, the following graphic shows the communication between the client and the frontend server as well as the communication between the frontend server and the backend server. The client sends two requests where one request needs to provide a correct pin (which is not possible) and the second request is proxied without any further requirements.

(Click to enlarge)

HTTP Request Smuggling

For a successful attack, an attacker must be able to call the handler of /api/door/open on the backend without going through the corresponding frontend handler that implements authentication. This can be achieved using HTTP request smuggling. The idea of this technique is to hide one request behind another, so that the frontend server sees only one request but forwards both to the backend server, which treats them as separate requests again. With that, a request can be routed to the backend server that should be authenticated but is not — undercover, appended to a request that does not require authentication.

In an HTTP request smuggling attack, attackers send conflicting information about how the HTTP server is to determine the length of the request. In particular, they would normally send both a Content-Length header and specify to use chunked encoding by sending a  Transfer-Encoding: chunked header. Receiving both length specifications, the server must then decide whether to use the specified content length, or use chunked encoding. If the frontend server and the backend server disagree on the method, HTTP request smuggling is possible. A more detailed explanation on HTTP request smuggling can be found on the PortSwigger Web Security Academy.

In our specific case, there’s a bit of a twist from usual HTTP request smuggling scenarios: the frontend implementation lets attackers inject arbitrary HTTP headers into the request that the frontend sends to the backend for an incoming request to /api/status. This resource does not have an authentication check, so even an unauthenticated user has full control over the headers and the data that is being forwarded to the backend. It is therefore possible to inject a Transfer-Encoding: chunked header to make the backend server parse the forwarded request differently than the frontend, which will use the Content-Length header. With that, an attacker can include a subsequent request to /api/door/open that is ignored (treated as part of the request to /api/status) by the frontend, but processed as a legitimate request to open a door by the backend. 

The proof-of-concept request can be visualized as follows:

(Click to enlarge)

The following Python script implements this attack:

Running the script will unlock the door and fetch the flag:

Challenge #2: “Backup”

We believe that the actor has accessed a terminal after breaking into the research facility. You can reach it via by using the credentials challenge:haed5Oof$oShip6oo.

Our incident responders have identified an implant that must have been installed as root. Can you figure out how the assumed escalation from challenge to root may have been facilitated?

The challenge implements a backup service. Under the hood, it uses the SUID wrapper binary backup that executes the shell script as root. Eventually, zip is used to do the archiving. While the PATH environment variable gets reset, other variables are passed to zip without sanitization. Therefore, attackers can pass maliciously crafted environment variables to zip and alter its intended behavior.

Per challenge description it is expected that the players analyze the provided virtual machine image and exploit a privilege escalation vulnerability on a remote server that hosts the flag. SSH credentials for the challenge user are provided in the description. One common way of escalating privileges is through insufficiently secured SUID binaries. If the file system is searched for SUID binaries, the backup binary will stand out as it is located under /usr/local/sbin/.

This location is intended for binaries that should run as root (sbin/) and have not been installed through the package manager of the distribution (local/). Other pointers to that binary include the systemd unit file backup.service and the systemd timer backup.timer that triggers the service.

The binary’s main function is rather short and can be decompiled by using IDA Pro or Ghidra.

This shows that both the real user ID (uid) and the real group ID (gid) of the process are set to zero, which is the value of the effective user ID (euid) if the process is running as root (lines 7 and 8). Then, the argument vector argv for a new process is prepared (L9-L11). Finally, execv() is executed with /bin/sh and the prepared vector as arguments effectively instructing /bin/sh to interpret the shell script at /usr/local/sbin/

The script is also rather short. First, the PATH environment variable is set to a fixed value (line 3). Then, the path to a ZIP file is derived from the current date and time by invocation of the date binary (line 8). Finally, zip is being used to compress the directory /etc and the resulting ZIP file is stored under /srv/backup.

Under these circumstances it is possible to pass an almost arbitrary environment to the script with PATH being the only exception as it is reset by the script itself. By studying the manual pages of the programs date and zip, one inevitably comes across the ZIPOPT variable that has a huge impact on zip’s execution: arbitrary command line arguments can be injected through this variable and several opportunities exist to access the flag.

Option #1 — Archiving the Flag

ZIPOPT can be used to specify additional files that should be archived as well as the location that the resulting ZIP file gets written to. For example, the flag at /root/flag.txt can be added and the resulting ZIP file can be stored at a location that can be accessed by the user challenge:

Option #2 — Spawning a Shell

ZIPOPT can be used to specify a custom command that gets executed in order to verify the produced ZIP file. This feature can be abused to obtain an interactive shell:

Option #3 — Overwriting

ZIPOPT can be used to specify options that make ZIP update an existing archive. Additionally, the output stream for the resulting archive can be redirected to overwrite arbitrary files. The output becomes a concatenation of the existing archive and the result of the update operation. If the existing archive is crafted carefully, shell commands can be injected into the resulting archive. This makes it possible to overwrite and inject arbitrary shell commands. These commands will get executed as root once the SUID binary backup is executed. was crafted in such a way that it will create a SUID-enabled copy of Bash under /bin/bash2. The code was injected into the content of an uncompressed file named cmd.txt. After setting ZIPOPT accordingly, the execution of backup wrote to /usr/local/sbin/ and appended the directory entry for /etc to that ZIP archive. The last execution of backup resulted in the execution of and eventually executed the injected shell commands:

A more involved approach is to inject a shell command into the header of a ZIP archive. In the following example, the fields “compression method”, “modification time”, “modification date” and the CRC-32 ranging from offset 0x8 to 0x12 of the first file named x got overwritten. The path /tmp/x is enclosed in newline characters to ensure that it is parsed and executed correctly by the shell. The archive can be used in the same way as Subsequent execution of the backup binary will then execute arbitrary commands from the file /tmp/x as root.

Challenge #3: “Lights Out”

Unfortunately, the incident response team informed us about further unknown activity on another air-gapped device. They found mysterious files on the host, but they were unable to analyze the samples. We need you to find out what they were used for.

An initial review of the files reveals that two files are ELF executables while the third file has an unknown format:

Executing the binary i on the correct hardware (Raspberry Pi) or in QEMU results in a segmentation fault, while tracing system calls reveals that the program tries to open the file /mnt/git-infrastructure/network-services.password.

(Click to enlarge)

This short insight also shows that another file (/tmp/.Font-Unix) is opened for writing and the implant immediately writes data to its beginning. We now try to create the first file and fill it with some data and trace the execution again:

(Click to enlarge)

Two observations become important here:

  1. The second binary lds should be stored as /usr/bin/lds and is used to process the created file /tmp/.Font-Unix.
  2. The resulting file /tmp/.Font-Unix has the same size as the input file network-services.password. Our initial hypothesis is that data from network-services.password is encrypted with an unknown scheme and written to /tmp/.Font-Unix.

Using this information, we copy lds to /usr/bin/lds and after this, the execution no longer segfaults. If run on a Raspberry Pi, it is now observable that the LEDs are blinking while running the program. If using an emulated environment, we can observe that the program tries unsuccessfully to open /sys/class/leds/led0/brightness. Essentially, there are two approaches now to solve this challenge:

  1. analyzing the crypto
  2. reversing the binary i


With the possibility to control the plaintext it can be found out how the cipher works, at least approximately. The following excerpt from the systematic generation of ciphertexts based on chosen plaintexts shows that the cipher substitutes each character and that all subsequent characters are influenced by a change in one prior plaintext character:

In addition, the length of the plaintext has an effect on the resulting ciphertext:

Putting these insights together, the plaintext can be recovered by trying every possible plaintext character (256 choices) for every position:

The script’s output is as follows:

Reversing i

The binary can be disassembled and decompiled using Ghidra for example. The decompilation shows that the entry point calls main (this label was assigned manually) via the common function __libc_start_main(), as most other binaries as well:

(Click to enlarge)

The disassembly of this function main reveals a common function prologue (stack preparation), and an instruction at 0x103e4 to store the current program counter in register r7 and jump to another location labeled FUN_00010484.

(Click to enlarge)

Between the jump instruction and this function there is a large data block that is not identified as code by Ghidra — which will become interesting later. It is also important to note that “In ARM state, the value of the PC is the address of the current instruction plus 8 bytes.” according to the ARM developer documentation. Therefore, r7 holds the value 0x103ec after pc is copied into it at 0x103e4. The address of the yet unknown data (located between the jump instruction and the function FUN_00010484) is stored in register r7

The disassembly of the code block FUN_00010484 shows that there is some preparation of register r7 — an offset is added to r7, but the offset is computed by the registers r5 and r8 both of which are not set right before.

The obvious approach to determine the value of register r7 at the end of this block is to load the program into a debugger, set a breakpoint at address 0x1049c and inspect the register r7. Trying this using gdb, we see that gdb is not able to run the program:

The tool readelf can be used to inspect the ELF binary, especially its header. We see that the tool has issues due to an out of range offset stored in the section header string table index.

There are different approaches to solving this. One is to manually fix the header (section header string table index). A compilation of a simple test program reveals a pattern that can be used to fix the header. Two observations are relevant:

  1. a stripped test binary (simple “hello world” compiled) has 27 section headers and a section header string table index of 26.
  2. The start of section headers is located directly behind the .shstrtab section, which can be identified using a hexdump.

Both fields can be fixed, for example using dd. The first command in the following excerpt updates e_shoff which points to the start of the section header table. The second command updates e_shstrndx which contains the index of the section header table entry.

After these modifications, the binary can be loaded and executed within gdb. Setting a breakpoint at the address where the unknown jump occurs (bx r7) the address is revealed:

So the jump basically jumps back, right behind the jump where the execution came from inside the main function. Important to note is that this jump instruction (0x103ed) is not aligned to 4 byte but off by one. On ARM, this will enter the thumb mode and all subsequent instructions are interpreted as thumb instructions. This is why Ghidra was not able to automatically disassemble the instructions right away.

After enabling thumb mode disassembly in Ghidra, the code block can be analyzed. As already seen in the strace output before, a password file is first opened and read into memory. Using strace, it was also revealed that after reading the whole input file (probably containing the flag) the code writes the output file (“/tmp/.Font-Unix”) byte by byte. Because of that it is reasonable to look for a loop with a write syscall (svc 0x04) and spot the routine that prepares register r1 which will hold the address to the byte that gets written. There is one loop in the discovered thumb-instruction code block with this pattern:

Inspecting this loop reveals the crypto mechanism applied, which is a stream-cipher using register r6 as the current keystream character. This register r6 is initialized with the value 0xa5 and the length of the plaintext before the loop, and its value (the keystream) is derived in each iteration by counting in a constant, as well as the last ciphertext character.

With this knowledge, a decryption routine can be implemented that takes a ciphertext, derives the keystream and recovers the plaintext.

The ciphertext is then decrypted using this script:

Analysis of Binary lds

The second binary named lds is not stripped. An analysis is therefore rather easy, and for this challenge not necessary, but for the next one.

The binary, as Ghidra’s decompilation reveals, takes a parameter that is the path to a local file.

After renaming variables, the decompilation of the function transmission_send_file() looks as follows:

It shows that this function opens a file, reads its content, and passes the data and its length to another function named transmission_send_data(). Before and after, two other functions named transmission_send_start() and transmission_send_end() are called. Both functions support the assumption that these functions are sending a prefix and postfix for a data transmission via a yet unknown channel.

The decompilation of the function transmission_send_data() reveals that the function iterates through the data and then calls channel_set_state() for every bit. The first first function argument is always 1 and seems to be used like a clock signal that is toggled for every bit while the second argument to that function will be passed the actual data bits.

Decompiling the function channel_set_state() shows that this program uses the LEDs on a Raspberry pi (via /sys/class/leds/led{0,1}/brightness) to send out both arguments. The toggling LED (the green LED on the device) is used for the clock while the red LED is used for the payload.

This knowledge can now be implemented in a decoder, which is needed for the next challenge:

Challenge #4: “Eyes Open”

Our investigation so far suggests that PROTECTIVE PENGUIN has the ability to view hardware devices inside the labs. Motivated by this, further review has revealed that the actor exploited a network attached storage device that is used by the surveillance system to host CCTV footage. Fortunately, this footage is encrypted on a regular basis — but is the encryption strong enough to prevent PROTECTIVE PENGUIN from getting access to the decrypted stream?

Reviewing the Python script named shows that the script uses the library cv2 to record CCTV footage using a connected webcam, and creates a bz2-compressed tarball with an encrypted and post-processed version of the initially recorded footage. Besides the script, a tarball is given that contains the encrypted video and audio stream of the CCTV footage.

The script also shows that both streams are extracted using ffmpeg callouts (“ffmpeg …”)), and both streams are encrypted using AES in Counter mode (CTR mode) using a randomly generated nonce and key. CTR mode turns the AES block cipher into a stream cipher by generating a keystream that is then XORed with the plaintext to generate the ciphertext. This encryption is considered to be secure as long as the key or the nonce are securely generated and stored, and both are not reused together.

The class that is used to record the video also adds an audio stream to the video, using a hardcoded command with a ffmpeg callout. This command will generate an audio stream using the anullsrc ffmpeg filter, which adds silence to the video.


Reusing the nonce and key for both streams is a vulnerability that can be exploited to gain the plaintext of the video stream. Replaying the commands will reveal that in fact the plaintext of the audio stream is deterministic and predictable because silence was added:

(Click to enlarge)

Due to the silence, the payload of the audio stream consists of the byte 0x80 while the header of the audio stream can be guessed. This will make it possible to recover the keystream without knowing the key and the nonce, and because the keystream is used for both the audio and the video stream, the unencrypted video stream can be recovered as well.

For the attack, the tarball is unpacked and the expected plaintext audio stream is generated, for example, using the script with the small modification that dumps the unencrypted video and audio stream in a test run. Then, the ciphertext of the audio stream is XORed against the expected plaintext audio stream to obtain the keystream. The keystream is then XORed against the ciphertext of the video stream to recover the plaintext video stream.

In the decrypted video we see LED’s of a Raspberry Pi blinking, as this excerpt shows:

We learn that this appears to show the device that was targeted in the previous challenge and we can process or manually review the video (for example by extracting the frames using ffmpeg and reviewing the frames to avoid confusion) to extract a bit string as exfiltrated by the lds binary seen in the previous challenge. By decoding and decrypting the payload, we obtain the final flag:

(Click to enlarge)

Final Remarks

This concludes the CrowdStrike Intelligence Adversary Quest 2022. In the PROTECTIVE PENGUIN track, players were asked to analyze the activities around an intrusion into a research institute. They first had to reproduce an attack on a smart lock protecting entry to the facility. Inside the institute, the actor gained root access to a machine by escalating privilege and reproducing this attack was the second challenge. The third and fourth challenge of this track were about analyzing an implant, deployed on an air-gapped host, exfiltrating data by letting LEDs of the host blink. These blinking lights were recorded by the research facility’s CCTV system. While the footage is stored encrypted, PROTECTIVE PENGUIN was able to exploit a weakness in the encryption scheme, allowing them to decrypt the recordings without knowing the key.

We hope you enjoyed the Adversary Quest and prepare well for the next one. Feel free to drop us an email at [email protected], especially if you published a writeup, want to provide some feedback or have any questions. Also note that CrowdStrike is constantly hiring talented cybersecurity professionals!

Additional Resources

GitOps and Shift Left Security: The Changing Landscape of DevSecOps

23 August 2022 at 12:45

Application developers have always had a tricky balance to maintain between speed and security, two requirements that may often feel at odds with each other. Practices that increase speed also pressure development teams to ensure that vulnerable code is identified and remediated without slowing development. As companies embrace digital transformation initiatives, the need to weave better security into developers’ workflows has only grown clearer. 

And the Survey Says …

But just where are enterprises on this journey? In a new report, “Walking the Line: GitOps and Shift Left Security,” analyst firm Enterprise Strategy Group (ESG) found that the majority of app developers and IT and cybersecurity decision-makers recognize the need to bake security into the development process and their organizations are ready to spend money to do so. Yet technical and other challenges remain. 

Key findings of the report include:

  • Organizations recognize the need to incorporate security into the development process. Sixty-eight percent of respondents said adopting developer-focused security solutions and shifting some security responsibilities to developers was a high priority for their organization. Additionally, 69% said their organization plans “significant investments” in security solutions that can be integrated into their cloud-native software development processes.
  • Most security teams are “mostly comfortable” or “completely comfortable” with developers taking responsibility for security testing. Still, when asked about challenges, some respondents expressed fears that developers would be overburdened. 
  • The cloud-native cybersecurity threat landscape is getting riskier. Nearly every IT pro surveyed encountered incidents and related consequences in the past year. The most common issues were attacks leveraging the insecure use of APIs, exploits that took advantage of known vulnerabilities in internally developed code, and compromised service account credentials.
  • Modern development practices increase speed but also security risks. As the use of infrastructure-as-code (IaC) has grown, security has become a significant issue. More than 80% reported an increase in IaC template misconfigurations. The impact of these misconfigurations ran the gamut from unauthorized access to applications and data to the introduction of crypto-jacking malware.

The Cybersecurity Threat Landscape Is Intensifying

The emphasis on integrating security into the development process could not have come at a more crucial time. Only 3% of respondents said they had not experienced one of the security incidents related to internally developed cloud-native applications and listed in the chart below in the past 12 months. At the same time, 38% said they had suffered an attack that resulted in data loss due to the insecure use of APIs.

Source: “Walking the Line: GitOps and Shift Left Security,” Enterprise Strategy Group (ESG)

When asked what elements of the cloud-native application stack they feel are most susceptible to compromise and therefore represent the greatest risk, respondents most often selected APIs followed by data storage repositories and internally developed application source code. 

The good news is that awareness of these challenges appears to be driving organizations to shift security left. During the next 12 to 18 months, 34% said improving application testing will be a top investment priority for their cloud-native application security plans. Thirty-one percent named applying runtime API security controls a top priority, and 31% said the same about detecting secrets that have been committed and stored in source code repositories.

The Impact of Shift Left Security 

Shifting security left does not always happen smoothly. When asked what challenges their organization faces when it comes to having developers take on more security responsibilities, 44% said “developers would be overburdened with security responsibilities or tools.” Forty-two percent said they did not feel developers are qualified to take over security duties, and 43% responded that “the whole process would make more work for the security team.”  

Some of those surveyed felt that developers are not always comfortable handling security due to friction: 46% said developers view security tasks as disruptive to development processes, and 44% said developers felt the security team should be doing the security work. This shows that in addition to facing some integration and technical challenges, organizations will have to overcome such workplace cultural issues if they are going to succeed in shifting left. 

Walking the Line 

Security is not meant to be a red light on the road to your business goals. It is meant to enable you to reach those goals safely and with minimal risk, and increasingly, organizations understand they need to integrate security into their development processes to do that. Organizations looking to walk the line should use solutions like, CrowdStrike Cloud Security, to integrate security early into the continuous integration/continuous delivery (CI/CD) pipeline in a way that is automated, frictionless, and empowers developers to deliver applications without decreasing speed. 

To learn more about the challenges organizations face with faster cloud-native development lifecycles and how developers and security teams work together, download the report here.

Additional Resources

The Anatomy of Wiper Malware, Part 2: Third-Party Drivers

In Part 1 of this four-part blog series examining wiper malware, we introduced the topic of wipers, reviewed their recent history and presented common adversary techniques that leverage wipers to destroy system data. 

In Part 2, CrowdStrike’s Endpoint Protection Content Research Team discusses how threat actors have used legitimate third-party drivers to bypass the visibility and detection capabilities of security mechanisms and solutions.

Third-Party Drivers

For a wiper developer, there are several good reasons to switch operations into kernel space. When it comes to overwriting disks, user mode has certain limitations and is intensely monitored by AV/XDR vendors through hooking various APIs and blocking select actions. With the release of Windows Vista, Microsoft began restricting access to raw disk sectors from user mode. To bypass this, wiper developers began to drive their attack through the kernel space.

Threat actors may attempt to write their own kernel drivers, but this approach is difficult for a number of reasons. One is related to the lack of segregation between processes or drivers in Kernel space; anything can write to anywhere with no restriction. With no room for error, the machine may easily destabilize and crash. Another is that modern Windows 64-bit requires drivers to be signed by Microsoft.

Rather than writing their own kernel drivers, malware authors often resort to using drivers developed by third-party entities in order to achieve their goals. Some notable examples of wiper families that use third-party drivers include Destover, DriveSlayer, Shamoon, Dustman and ZeroCleare. Most of these leverage different versions of the ElRawDisk driver developed by Eldos, with the exception being DriveSlayer, who uses a driver developed by EaseUs.

ElRawDisk Driver

The ElRawDisk device driver, developed by Eldos (now part of Callback Technologies), is used by several wiper families such as Destover, ZeroCleare, Dustman and Shamoon. The driver is used as a proxy to transfer actions from user mode into kernel mode and ensures that all disk operations are done on behalf of the driver, not the wiper process. This technique removes any limitations user mode processes might encounter when writing files or interacting with the disk directly. Since this is a third-party driver, the malware must implement a way to install it on the infected machine. Usually this is achieved by dropping the driver to disk and loading it via the Service Control Manager APIs, or the sc.exe tool. Legitimate drivers are also seen as “clean” by security vendors and it would not be blocked when they are installed. 

ZeroCleare and Dustman use an unsigned version of ElRawDisk driver that is loaded using Turla Driver Loader (TDL). TDL installs a signed and vulnerable VBoxDrv driver. This driver is exploited to mimic the functionality of a driver loader and the unsigned ElRawDisk driver is mapped in kernel mode without having to patch Windows Driver Signature Enforcement (DSE).

After loading the driver, the wipers must grab a handle to it via CreateFile and provide a key in order to authenticate to the driver. The key is appended to the device name, and parsed out by the driver. If no valid key is supplied, the return value will be INVALID_HANDLE_VALUE. While this seems like a good idea to limit unauthorized access to the driver, in reality threat actors can reverse engineer the legitimate applications that use the ElRawDisk drivers and extract a copy of the key. Then they use that key to impersonate the legitimate tool and achieve their goals. Analyzed wipers use different keys for the ElRawDisk driver.

Figure 1. Open handle to ElRawDisk device with the serial key appended to the device name

Shamoon retrieves information about the location of the file on the raw disk by sending the FSCTL_GET_RETRIEVAL_POINTERS control code to the ElRawDisk device via the DeviceIoControl API. This information is later used to determine the raw sectors of the file that needs to be wiped.

Figure 2. Send FSCTL_GET_RETRIEVAL_POINTERS via DeviceIoControl API

Shamoon attempts to wipe the entire disk, not only the files. In order to do so, it requests partitioning information by sending the IOCTL_DISK_GET_PARTITION_INFO_EX IOCTL to the ElRawDisk driver. The partitioning information helps the wiper to determine what sectors to overwrite. To accomplish this, the wiper opens a handle to a specific partition via CreateFile and overwrites the sectors using WriteFile and SetFilePointer APIs. Shamoon writes a JPEG image to the sectors, rendering the operating system unstable and may crash at any point in time.

Figure 3. Send IOCTL_DISK_GET_PARTITION_INFO_EX via DeviceIoControl API

The code trace from Figure 4 exemplifies how wipers overwrite raw disk clusters by proxying activity via the ElRawDisk device.

Figure 4. API trace view demonstrating how the EPMNTDRV is used to wipe the disk

ZeroCleare and Dustman use the driver a bit differently than Shamoon. Once the ElRawDisk driver is loaded using TDL and a handle to the driver is obtained, it calls DeviceIoControl using one of two different IOCTLs (0x22BF84 or 0x227F80), depending on the Windows version. This call is capable of overwriting the contents of the physical drive with a message (as in Dustman wiper), or a buffer with the same byte value (as in ZeroCleare wiper).

The following figure is used in both ZeroCleare and Dustman wipers. The customdata buffer contains the data that is used to overwrite the contents of the physical drive.

Figure 5. How ZeroCleare and Dustman use the ElRawDisk to overwrite the disk with a custom buffer

As seen in the ElRawDisk driver version used by Dustman and ZeroCleare, both these two IO control codes translate to the same function call. The following snippet cannot be found in the driver used by Shamoon because it’s an older version.

Figure 6. Examples of two custom IOCTL codes from the ElRawDisk driver


EPMNTDRV is another example of a driver developed by a legitimate entity being used for malicious purposes by threat actors. This driver is developed by EaseUs for their partition manager utility. Back in March of 2022, the DriveSlayer wiper used this driver against Ukraine. It was kept inside a LZA compressed resource and loaded via the Windows Service Control Manager APIs after it was written to disk by the malware. In the following figure, we can observe the main function of the EPMNTDRV driver. It creates the device and a symbolic link followed by initialization of the DRIVER_OBJECT structure with the necessary dispatch routines.

Figure 7. Main function of the EPMNTDRV initiating various dispatch routines

Similarly to the previous driver, it allows any user-mode process to interact with the disk by proxying actions through itself. Interaction is achieved via dispatch routines like IRP_MJ_CREATE, IRP_MJ_WRITE as well as IRP_MJ_DEVICE_CONTROL. To interact with the driver, the process needs to open a handle to the device via CreateFile and provide a path like “\\.\EPMNTDRV\[value]”, where [value] represents the ID of the disk. The driver will then allow the user to operate on the “\Device\Harddisk[value]\Partition0” device through it.

Figure 8. Pseudocode view of the IRP_MJ_CREATE dispatch routine from EPMNTDRV driver, showcasing how it opens a handle to the local disk (\Device\Harddisk%u\Partition0)

In the IRP_MJ_CREATE routine of the driver, a pointer to the “\Device\Harddisk%u\Partition0” is obtained via IoGetDeviceObjectPointer and IoGetAttachedDeviceReference APIs and stored in a global variable to be later used in the other dispatch routines.

Figure 9. Pseudocode view of the IRP_MJ_WRITE dispatch routine from EPMNTDRV driver, showcasing how an IRP request is created and sent to the driver handling the HardDisk device.

The IRP_MJ_WRITE handles the write requests coming from the user mode process.and forwards them to the driver handling the disk operations. In order to achieve this, the driver makes use of the IoBuildAsynchronousFsdRequest API to construct an IRP request and sends it to the driver via the IofCallDriver API.

Figure 10. Pseudocode view of the IRP_MJ_DEVICE_CONTROL dispatch routine from EPMNTDRV driver, showcasing how IO control codes are forwarded to the HDD device driver

The the user mode process send a IOCTL to the EPMNTDRV device, the dispatch routine handling IRP_MJ_DEVICE_CONTROL requests is called and it forwards the requests to the driver handling disk operations via the IoBuildDeviceIoControlRequest and IofCallDriver APIs.

Figure 11. Pseudocode from DriveSlayer displaying how to data is sent to the third-party driver in order to overwrite the disk

Now that the EPMNTDRV driver is installed, the wiper can grab a handle to it via CreateFile and use standard WriteFile and DeviceIoControl APIs in order to send data to the driver. All requests from user mode are then forwarded to the disk driver. Now, the malware can now wipe the MBR, MFT, and files on behalf of the legitimate driver.

How the Falcon Platform Offers Continuous Monitoring and Visibility

The CrowdStrike Falcon® platform takes a layered approach to protecting workloads, harnessing over a trillion data points analyzed daily in the CrowdStrike Security Cloud. Combining on-sensor and cloud-based machine learning, industry-leading behavioral analysis to fuel indicators of attack (IOAs) (including recently announced AI-powered IOAs), and advanced threat intelligence the Falcon platform provides users with holistic attack surface visibility, unparalleled threat detection and continuous monitoring for any environment, reducing the time to detect and mitigate threats.

Figure 12. Falcon UI screenshot showcasing detection of DriveSlayer by the Falcon sensor. (Click to enlarge)

Figure 13. Falcon UI screenshot showcasing detection of Shamoon by the Falcon sensor. (Click to enlarge)


Multiple wiper families leverage legitimate third-party kernel drivers as proxies for running malicious activities. This provides the wipers with multiple advantages; enabling them to operate in a stealthy manner and bypassing several security products. A kernel implant provides limitless capabilities for the attacker, including easy access to the entire disk, without the operating system getting in the way. Many of the wipers we’ve analyzed use legitimate drivers to wipe raw disk sectors and, in some instances, protected files. The main weakness of this approach is that wiping raw sectors will destabilize the operating system, making it liable to crash at any moment. Crashing the OS may be in the victim’s advantage because this would halt wiping operations and potentially allow the victim to recover some of their data. 

In Part 3 of this wiper series, we will discuss additional and less frequently utilized techniques implemented by various wiper families.


Wiper name SHA256 hash value
Apostle 6fb07a9855edc862e59145aed973de9d459a6f45f17a8e779b95d4c55502dcce


CaddyWiper a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea
Destover e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a
DoubleZero 3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe


DriveSlayer 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da



Dustman f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7
IsaacWiper 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033


IsraBye 5a209e40e0659b40d3d20899c00757fa33dc00ddcac38a3c8df004ab9051de0d
KillDisk 8a81a1d0fae933862b51f63064069aa5af3854763f5edc29c997964de5e284e5


Meteor and Comet/Stardust 2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b




Ordinypt ​​085256b114079911b64f5826165f85a28a2a4ddc2ce0d935fa8545651ce5ab09
Petya 0f732bc1ed57a052fecd19ad98428eb8cc42e6a53af86d465b004994342a2366



Shamoon e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a






SQLShred/Agrius 18c92f23b646eb85d67a890296000212091f930b1fe9e92033f123be3581a90f


StoneDrill 62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260



Tokyo Olympic wiper fb80dab592c5b2a1dcaaf69981c6d4ee7dbf6c1f25247e2ab648d4d0dc115a97


WhisperGate a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92



ZeroCleare becb74a8a71a324c78625aa589e77631633d0f15af1473dfe34eca06e7ec6b86

Additional Resources

  • Find out more about today’s adversaries and how to combat them at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21! 
  • Learn how the powerful CrowdStrike Falcon platform provides comprehensive protection across your organization, workers and data, wherever they are located.
  • Get a full-featured free trial of CrowdStrike Falcon Prevent™ and see for yourself how true next-gen AV performs against today’s most sophisticated threats.

Getting Started Guide: Falcon Long Term Repository

25 August 2022 at 12:37

Limited data retention resulting from financial or technological constraints makes it hard for security teams to see the complete history of an attack. This lack of full context about a threat — or a potential threat — eventually catches up with organizations, leading to longer dwell times and increased risk of a breach. 

CrowdStrike Falcon Long Term Repository (LTR), formerly known as Humio for Falcon, allows CrowdStrike Falcon® platform customers to retain their data for up to one year or longer. Users can then correlate this deep well of information with other data sources to better detect potential threats and search the data with sub-second latency. 

The innovative technology addresses one of the biggest challenges in threat hunting and security awareness: unknown unknowns. Without the context provided by log and event data from across your IT infrastructure, it’s increasingly difficult to investigate incidents and uncover potential attack paths. Despite this, historical retention is often a problem for security teams because of the costs and technological complexity of retaining this data. 

Falcon LTR employs an index-free architecture designed to minimize the storage and computing resources required to ingest and retain data at any scale. It also uses advanced data storage techniques to compress data by 6-80x, reducing total cost of ownership. 

If you’re a Falcon platform customer who wants more data to work with for a longer period of time, Falcon LTR might be right for you. This blog post is the first in a three-part series that will teach you the basics of Falcon LTR and how it can improve your threat hunts, investigations and observability use cases.

Let’s dive in.  

I’ve got a data warehouse. Why do I need Falcon LTR?

Most organizations will ingest log data into their own data warehouse, perform custom analytics and investigations, and define an event-retention policy based on the storage available. Falcon LTR improves upon this approach in four main ways:

  1. Longer data retention. Falcon LTR allows you to keep data for as long as you need, including more than one year. With longer data retention, security teams can identify potential threats faster and conduct sub-second searches on log data. This speed enables threat hunting and troubleshooting at an unprecedented scale.
  2. Reduced cost. Legacy log management platforms make it cost prohibitive due to extensive infrastructure and storage requirements to retain log data long term. Falcon LTR offers long-term retention that requires minimal storage and computing resources, thus costing much less than what you might be used to.
  3. Fast and custom search. Humio, the log management technology that powers Falcon LTR, offers a feature-rich query language and index-free architecture. This allows customers to get immediate answers from their Falcon data via real-time dashboards, custom searches and prebuilt integrations.
  4. Smarter investigations. By ingesting your Falcon data into Falcon LTR, it instantly becomes searchable alongside other data sources, such as firewall logs and network telemetry. Now, findings from one log source can be used to trigger associated searches across other logs sources — enabling proactive threat hunting and investigations.

How does Falcon LTR work?

Falcon LTR relies upon a mechanism that transports Falcon data into Falcon LTR. This mechanism is called Falcon Data Replicator (FDR). Customers who license Falcon LTR get free access to FDR to ingest their Falcon logs. Please review the technical support feature guide to gain a full understanding of the requirements before enabling FDR.

Below is a high-level overview of the FDR data flow. As you can see, endpoints generate raw event data which is ingested into CrowdStrike Threat Graph®. FDR places the raw event data into an AWS S3 bucket, and enables users to bring that data into Falcon LTR for long-term retention and analysis. 

“With Falcon LTR, we were able to save approximately $150,000 in the first year. Also, the ability to save data for an extended time period is critical. When we detect an indicator of compromise, we can go back in time and analyze the entire attack chain to accelerate investigations and pinpoint issues more quickly.” —Tom Sipes, Director of IT Security and Compliance, Tuesday Morning

How do I get Falcon LTR?

To start, contact your CrowdStrike account manager or CrowdStrike Support, and ask to have FDR enabled on your account. The team will create a CrowdStrike-managed AWS S3 bucket for short-term storage purposes, as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket. By default, this S3 bucket has a seven-day retention policy because data is intended to be pulled out for longer-term retention, which Falcon LTR provides. 

To learn more about Falcon LTR capabilities and licensing, contact your CrowdStrike account manager.

If you enjoyed this post, don’t miss the next two in the series, “Improve Threat Hunts with Long-Term, Cost-Effective Data Retention” and “Use Falcon Data for Greater IT Visibility.”

Additional Resources

Defense Against the Lateral Arts: Detecting and Preventing Impacket’s Wmiexec

31 August 2022 at 12:20
  • Impacket, an open source collection of Python modules for manipulating network protocols, contains several tools for remote service execution, Windows credential dumping, packet sniffing and Kerberos manipulation.
  • CrowdStrike Services has seen an increased use of Impacket’s wmiexec module, primarily by ransomware and eCrime groups.
  • Wmiexec leaves behind valuable forensic artifacts that will help defenders detect its usage and identify evidence or indication of adversary activity.


Impacket’s (“wmiexec”) is a popular tool used by red teams and threat actors alike. The CrowdStrike Services team commonly sees threat actors leveraging wmiexec to move laterally and execute commands on remote systems as wmiexec leverages Windows native protocols to more easily blend in with benign activity. CrowdStrike has also identified threat actors packaging wmiexec using PyInstaller to run it as an executable on Windows systems, remotely executing data exfiltration tools such as Rclone, and Cobalt Strike beacons for lateral movement and command-and-control operations. 

Impacket’s suite of tools is extremely versatile and is low impact, making detection more difficult compared to other threat actor tool sets. This blog deep dives into wmiexec usage seen from multiple incident response investigations, and describes indicators to help defenders detect wmiexec. 

Wmiexec Overview

Wmiexec relies on the Windows native service known as Windows Management Instrumentation (WMI). Microsoft defines WMI as “the infrastructure for management data and operations on Windows-based operating systems.” While WMI has legitimate use-cases, threat actors commonly use WMI to move laterally. 

Wmiexec allows a threat actor to execute commands on a remote system and/or establish a semi-interactive shell on a remote host. The remote connection and command execution requires using a valid username and password or an NTLM hash. Usage of wmiexec does not require the remote service installation that similar lateral movement techniques require, such as by Impacket. 

Wmiexec uses Distributed Component Object Model (“DCOM”) to connect remotely to a system. DCOM allows COM objects to communicate over the network. The threat actor’s execution of will establish their connection with DCOM/RPC on port 135, the response back to the threat actor system is sent via the Server Message Block (“SMB”) protocol.

Initial Indicators

When hunting for wmiexec, defenders should look for WMI usage. A defender’s first step should be to analyze the process relationship involving a parent process known as WMIPRVSE.EXE. Suspicious processes such as CMD.EXE or POWERSHELL.EXE running as a child process to WMIPRVSE.EXE are a red flag. Most commonly, and by default, wmiexec will use a child process of CMD.EXE. A common indicator of wmiexec is the command line switches of the CMD.EXE process, which is somewhat unique. An example of executing a tasklist using wmiexec would establish a process relationship similar to the image in Figure 1. Throughout this blog we will often refer to the publicly available source code on Impacket’s GitHub repository.

Figure 1. Parent process relationship

Understanding wmiexec Command Execution

As shown in Figure 2, on line 127 of the publicly available source code, execution of CMD.EXE will use the parameters of /Q /c. First the parameter, /Q, is set to turn off echo, ensuring the command is run silently. Secondly, the parameter /c is set to stop after the command specified by the string is carried out.

Figure 2. Code example calling of cmd.exe

Identifying commands issued with the default cmd.exe /Q /c arguments are an indicator that wmiexec may be in use but note that these are parameters which can be used for legitimate purposes. To further validate the identification of wmiexec usage, another indicator is command redirection. During execution of wmiexec, the command is redirected to a file created on the remote host’s local ADMIN$ share by default. The ADMIN$ share aligns with the file path C:\Windows\.

Figure 3. Code example of redirected output to a file (Click to enlarge)

As shown in Figure 3, on line 295 of the wmiexec code, the command variable has a few variables that are appended with additional data, concatenating the /Q /c switches with the command being run and the redirection. While this full command line is a great indicator of wmiexec usage, the variable __output (shown in Figure 3 as self.__output) is the name of the temporary file written to disk and creates additional forensic artifacts on disk. When the tool concatenates the command parameters together, an example final resulting command is shown in Figure 4 where the threat actor is attempting to execute hostname.

Figure 4. Full wmiexec command result (Source: Windows Event Log)

The output variable containing the name of the file that is to be written to disk is declared in two places, shown in Figure 5 of the wmiexec code. First on line 46, the output of the command is given a filename of two underscores, __, followed by the current time in EPOCH. This is important for two reasons: the presence of this file indicates execution of (or attempted execution of) wmiexec and also it will give us a time of execution. As previously mentioned, this file will reside in C:\Windows\, which is remotely accessible using the ADMIN$ share. An example of the file written to disk is shown in Figure 6. The output file stores the results of the command executed to be sent back to the threat actor, which can also be useful to defenders (more on this later).

Figure 5. Code example of the output filename

Figure 6. Example of output file written to disk

Cleanup Operations

The output file is not always present on disk because wmiexec, upon successful and complete execution, will clean up after itself. Most commonly this file is left behind for one of two reasons: a threat actor prematurely canceled a command before it has completed (i.e., CTRL+C), or wmiexec failed or was prevented from executing. In either scenario, if the wmiexec script is unable to complete execution it will not reach line 285, shown in Figure 7, to clean up the file on disk. Also of note, incomplete execution of wmiexec does not necessarily mean the threat actor was unable to successfully execute their command.

Figure 7. Code example of file cleanup after execution

An example of a failed cleanup operation is if an interrupt command such as CTRL+C was issued while wmiexec is running, which would leave behind a file on disk. In Figure 8, execution of wmiexec is performed using the NTLM hash of a user winadmin to the host INFOSEC-PC1 in a test environment. Executing wmiexec without a command will establish a semi-interactive shell — from an threat actor perspective, this means a shell is established that appears interactive, but each command executed will be sent through the wmiexec channel and include the standard process execution cmd.exe /Q /C <command> 1> \\\\\ADMIN$\__<EPOCHTIME> 2>&1 command format. In Figure 8, after running nslookup an abort command is issued (CTRL+C) and the nslookup process is interrupted. The result is a file on disk containing the output of the command executed, shown in Figure 9. Note: In Figure 9, an abort command needed to be issued since nothing was supplied to nslookup, and although this was done in a test environment, CrowdStrike Services has seen this exact occurrence happen during real incident response engagements.

Figure 8. Execution of to interrupt nslookup execution (Click to enlarge)

Figure 9. Examining the leftover file contents

Another example of failure to clean up and artifacts left on disk is shown in Figures 10 and 11. In Figure 10, wmiexec is executed similarly as before, but this time powershell.exe is executed. Since running the command powershell.exe would open a new PowerShell prompt, issuing another abort command (CTRL+C) will result in the output file not being cleaned up. Figure 11 shows the header of a new PowerShell window in the contents of the output file, __1645636397.851114.

Figure 10. Execution of to interrupt PowerShell execution (Click to enlarge)

Figure 11. Examining the leftover file contents of PowerShell output (Click to enlarge)

The temporary files discussed here can be a valuable indicator of wmiexec execution even when they are successfully cleaned up. Windows Prefetch files are used by the Microsoft Windows operating system to improve application start-up performance. Prefetch is a common forensic artifact located in C:\Windows\Prefetch that can be used to identify process execution along with contextual information related to the file that was executed. 

As shown in Figure 12, contextual information can be parsed from Prefetch using a tool such as PECmd. This contextual information includes Dynamic Link Libraries (DLLs) and other files used by the process that was executed. In this example, a variety of DLLs are referenced in the Prefetch file for whoami.exe as well as the temporary files associated with wmiexec. The temporary files previously discussed cannot be extracted from the Prefetch file — but, this example does show that Prefetch data contains evidence that whoami.exe was executed with wmiexec.

Figure 12. Examining parsed Prefetch data to identify a relation between whoami and temporary wmiexec files

Key visibility into potential wmiexec execution comes from command-line process execution. Process execution will give a defender more definitive evidence and visibility into the exact commands being executed regardless of actions taken by the threat actor. Relying primarily on local logging, the Windows Security Event Log can provide granular data on the command line execution with the right settings enabled. Unfortunately, Security Event ID 4688 is not enabled by default. After enabling Event ID 4688, defenders must also configure it for full command line auditing, which is described below.

Note: When introducing any recommendations for security or visibility enhancements to your environment, proper testing should be conducted to ensure it will not affect business operations negatively.

To enable Event ID 4688, open the Local Group Policy Editor and do the following (shown in Figure 13):

Local Group Policy Editor > Open Computer Configuration > Open Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking > Enabled Audit Process Creation

Figure 13. Local Group Policy Editor to enable Event ID 4688

In addition, the box for configuring both success and failure events should be checked, and then click apply, as shown in Figure 14.

Figure 14. Enabling Success and Failure events

Finally, check to make sure auditing is enabled, as shown in Figure 15.

Figure 15. Successful enabling of Event ID 4688

After enabling Event ID 4688, the Windows Security Event Log will log created and new process names, giving a defender granular insight into the commands issued on a particular system. As previously mentioned, WMIPRVSE.exe with a child process of CMD.exe is a great indicator of potential wmiexec usage, as shown in Figure 16.

Figure 16. Event ID 4688 enabled showing process creation of wmiexec

Although visibility into parent/child processes on a system helps defenders, the full process command line in Figure 16 is blank because it must be enabled separately. In order to enable the full process command line, open Local Group Policy Editor and navigate to the following location (as shown in Figures 17 and 18):

Local Group Policy Editor > Computer Configuration > Administrative Templates > System > Audit Process Configuration > Include command line in process creation events > Enable

Figure 17. Enabling process command line for Event ID 4688

Figure 18. Enabling process command line for Event ID 4688

With process command line auditing enabled for Event ID 4688, more granular detail on the exact commands executed is recorded, rather than just parent/child process execution. Forwarding this data to a centralized security information and event management (SIEM) tool can allow defenders to set up alerts and dashboards to track process executions. As shown in Figure 19, Event ID 4688 is now logging the entire command line, giving a defender the ability to see wmiexec was used to remotely execute the command hostname.

Figure 19. Process command lines enabled for 4688 – execution of wmiexec

Other resources such as antivirus detection logs and the Microsoft Protection Log (“MPLog”) are also good resources for gaining command line visibility into wmiexec usage. This CrowdStrike blog discusses how to leverage MPLog in greater detail. 

Prevention and Mitigation

Enabling process command lines and Event ID 4688 is great for visibility and can assist defenders in identifying a threat actor within your environment, although it does not aid much in prevention. As shown in Figure 20, running Impacket to establish a semi-interactive shell will give the threat actor the ability to run commands and while visibility into these attacks is critical, mitigating them is the ultimate goal.

Figure 20. Threat actor execution of remote commands with wmiexec (Click to enlarge)

CrowdStrike Falcon Insight™ endpoint detection and response will collect granular data on process execution in real time, going into more detail than the standard process creation logging available in Windows. Indicators of attack (IOAs) are a method used to create detections and preventions for wmiexec. Commonly on CrowdStrike Services Red Team/Blue Team assessments, CrowdStrike experts will assist internal teams to configure an IOA that will allow detection and prevention of wmiexec. In Figure 21, having a proper IOA and then attempting to execute tasklist again shows not only the ability to see the full process parent relationships but also how to prevent it.

Figure 21. CrowdStrike Falcon IOA for wmiexec (Click to enlarge)

Each of the processes that spawned the suspected malicious process can be examined to identify a gold mine of information, including the host where the request originated and full command line parameters, as shown in Figure 22.

Figure 22. Process command line for wmiexec running tasklist

The prevention will restrict the threat actor’s ability to issue remote commands to systems that have an active CrowdStrike Falcon endpoint protection agent. As shown in Figure 23, the threat actor will receive a response of “SMB SessionError.” The failure to execute wmiexec is true for the semi-interactive shell (Figure 23), as well as running single commands (Figure 24).

Figure 23. Failure to execute wmiexec due to Falcon Insight IOA (Click to enlarge)

Figure 24. Failure to execute wmiexec tasklist command due to Falcon Insight IOA (Click to enlarge)

Falcon Insight provides detection data for events with the appropriate prevention and IOAs enabled, but telemetry by default will also be useful to identify threat actor activity. Figure 25 shows an example output of an event search in the CrowdStrike Falcon® console to identify all commands issued. By looking at this list, defenders can see the process, cmd.exe; the remote host that executed the command, (threat actor Testing System); and the full process command line. This is all captured in real time and enables defenders to investigate and respond quickly. The process command line should look familiar and shows execution of a handful of commands (cd, whoami and tasklist).

Figure 25. Event search example of wmiexec commands issued (Click to enlarge)

Falcon Forensics

When looking historically at the artifacts discussed in this blog, Falcon Forensics can be a great asset to a defender’s investigation. Falcon Forensics is a run-once script that is easily deployed through RTR or other deployment tools that will capture a variety of forensic artifacts used for forensic triage of a system. The most beneficial advantage to using Falcon Forensics is the variety of sourcetypes and triage data matched with the ability to perform investigations at scale across an entire environment. Considering the artifacts discussed in this blog, there are specific examples that can be used to find evidence of wmiexec execution at scale, and historically. 

Three source types to scratch the surface and highlight when hunting for wmiexec are prefetch, pslist and dirlist. The standard Falcon Forensics executable will not only capture the presence of Prefetch artifacts but also parse the artifact to identify related modules used by the process, similar to parsing Prefetch discussed previously. In Figure 26 below, the whoami.exe Prefetch file contains a module name of the temporary wmiexec artifacts. Using Falcon Forensics across your environment can look for these artifacts at scale.

Figure 26. Falcon Forensics event search example of wmiexec artifacts in Prefetch (Click to enlarge)

In addition to the Prefetch sourcetype, pslist can be used to identify the previously discussed command line artifacts associated with wmiexec that may be still running at the time of Falcon Forensics deployment. Shown in Figure 27, since PowerShell and nslookup will both hang on execution, the processes were still running, which allowed for visibility into the process execution.

Figure 27. Falcon Forensics event search example of wmiexec artifacts in pslist (Click to enlarge)

Lastly, files written to disk are a strong indicator of threat actor activity. In Figure 27 an example of wmiexec execution that failed to clean up is easily identifiable using Falcon Forensics to search for the recognizable common file name format, __<EPOCHTIME>, in C:\Windows.

Figure 28. Falcon Forensics event search example of wmiexec artifacts in dirlist (Click to enlarge)


Impacket, and specifically wmiexec, is a tool increasingly leveraged by threat actors. While defenders should remain vigilant on the usage of Impacket, the strategies discussed in this blog can also be used to dissect and understand other threat actor tool sets to identify avenues for detection and prevention.

Additional Resources

CrowdStrike Introduces Sandbox Scryer: A Free Threat-Hunting Tool for Generating MITRE ATT&CK and Navigator Data

1 September 2022 at 13:20
  • Sandbox Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output
  • The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in assembling indicators of compromise (IOCs), understanding attack movement and hunting threats
  • By allowing researchers to send thousands of samples to a sandbox for building a profile for use with the ATT&CK technique, Sandbox Scryer can help solve use cases at scale
  • The tool is intended for cybersecurity professionals who are interested in threat hunting and attack analysis leveraging sandbox output data
  • Sandbox Scryer consumes output from the free and public Hybrid Analysis malware analysis service to help analysts expedite and scale threat hunting as part of security operations center (SOC) operations

Threat hunting is a critical security function, a proactive measure to detect warning signs and head off attacks before a breach can occur. Scaling threat hunting capabilities involves quickly deriving actionable intelligence from a large number of behavioral data signals to identify gaps and reduce time to respond. CrowdStrike has developed a new, open-source tool that is a valuable addition to the arsenal of threat hunters — those cybersecurity professionals who face the challenge of staying ahead of ever-evolving threats.

Introducing Sandbox Scryer 

Using the MITRE ATT&CK Framework to organize and prioritize its findings, the Sandbox Scryer tool leverages sandbox detonation output to provide key information, including observed MITRE ATT&CK techniques and associated metadata. It can do so at scale, allowing researchers to send hundreds or even thousands of files to a sandbox. Sandbox Scryer produces a layer file that can be imported into the ATT&CK Navigator for analysis (including graphical representation of techniques used), and provides a human-readable format for manual examination. 

Defending against advanced and sophisticated threats requires answering the question “What’s next?” after an initial detection. Understanding how threats behave and evolve enables defenders to improve defensive capabilities to identify and prevent future attack attempts and stages.

Sandbox Scryer was initially developed to consume output from the free and public Hybrid Analysis malware analysis service that detects and analyzes unknown threats using a unique Hybrid Analysis technology. Designed to be extendable, Sandbox Scryer can also process output from other malware analysis services that offer sandbox detonation reports.

How Sandbox Scryer Helps to Make Sense of Threats Hidden in Sandbox Detonation Data

Threat behavior data coming from sandbox detonations can help provide the needed signal to inform focused answers to the question “What’s next?” Sandbox Scryer allows threat hunters to easily scale their investigations by sending a large number of samples to a sandbox at once and building a comprehensive profile that shows the tactics, techniques and procedures (TTPs) being used so protection gaps can quickly be identified, enhancing intelligence and threat hunting operations. 

Sandbox Scryer supports the prioritization of IOCs and ATT&CK behaviors and produces information that can easily integrate into SOC and security orchestration, automation and response (SOAR) operations at scale, improving defensive capabilities. 

For example, having a heat map that visually depicts a technique such as the use of Remote Desktop Protocol (T1021.001) being shared across all samples submitted for analysis enables analysts to take immediate action and improve their defense posture by enabling identity protection mechanisms or additional policies.  

For another example, consider that most endpoint detection and response (EDR) and extended detection and response (XDR) solutions support threat hunting by ATT&CK Techniques. Using Sandbox Scryer to combine multiple reports can reveal common techniques that can be included in a hunting package to search for similar threats in the enterprise.

Sandbox Scryer helps organize and express the plethora of sandbox behavioral data so analysts can better understand and respond to attacks. Its primary output is a layer file analysts can import into the MITRE ATT&CK Navigator. This layer file collates data from the sandbox results using the set of sample submissions analyzed and includes metadata and a ranking of ATT&CK techniques.

Besides being importable into the Navigator, the layer file is also a human-readable (JSON) format usable by itself for examining the collated data. In fact, it may be easier to examine details of the metadata noted in the layer file from techniques of interest than by viewing in the Navigator.

In addition to generating the layer file, Sandbox Scryer creates custom output for each sandbox submission report analyzed. This output consists of:

  • A graphical (.png) file showing observed MITRE ATT&CK techniques
  • A text file for human consumption that includes observed techniques, metadata and a ranking of techniques
  • A .csv file for import into collating tools that is used by Sandbox Scryer to assemble the collated data placed in the Navigator layer file

How to Use the Sandbox Scryer Tool

Figure 1 shows the major workflow steps for using Sandbox Scryer.

Figure 1. The Sandbox Scryer tool workflow

Step 1. Submitting Samples

Usage begins with submitting a selected set of samples for detonation to the free Hybrid Analysis malware analysis service and then retrieving detonation results in the form of report summaries.

This is done either using the Hybrid Analysis web user interface or through the documented and available endpoint API. The Sandbox Scryer tool retrieves the output (submission reports) using the endpoint API. The tool could be expanded to handle submitting samples and retrieving results directly, as a later enhancement.

Figure 2. Sandbox report summary snippet (Click to enlarge)

The report summary includes entries for sandbox signatures that triggered processing the submission. Metadata is included for each triggered signature and detected MITRE ATT&CK technique usage.

Step 2. Retrieve Sandbox Report

Once the sandbox report summaries are retrieved for the submissions, the Sandbox Scryer tool is invoked for each report summary with the parse command specified via command-line arguments. This command will parse the report summary and extract the MITRE techniques from the detonation report, along with a subset of metadata for these techniques. It will produce a .csv file with this data, a corresponding human-readable format of the data and graphical representation of the techniques in the format of the MITRE ATT&CK Framework.

Figure 3. Individualized graphic showing MITRE techniques observed during the detonation for a specific sample (Click to enlarge)

Figure 4. Parsed sandbox detonation report summary snippet (Click to enlarge)

Finally, Sandbox Scryer is invoked with the collate command to collect the extracted MITRE data from each report summary and combine it into a layer file that can be imported into the MITRE Navigator.

Following this, the MITRE ATT&CK Navigator may be launched to load the layer file and view the collated data.

Figure 5. Screenshot showing the Navigator view of the Sandbox Scryer output (Click to enlarge)

The Navigator shows a view of the techniques and tactics observed by Sandbox Scryer while analyzing a set of submitted samples, with prevalence and prioritization shown via a heat map. This graphical view allows for easier human understanding of trends and priorities within the set of samples.

Hovering over techniques shows noted metadata such as the score used to generate the heatmap coloring, Windows Registry paths involved and more.

To analyze a particular technique more completely, an analyst would return to the sandbox report summaries and search for signature entries that note the MITRE technique, using grep or any similar tool.

The report summaries located within the search contain a complete set of metadata for the signature(s). This includes the technique (what is included in the Navigator view and other Scryer tool output is a subset of available metadata). More than one signature may note the technique. Additionally, other signatures triggered for the submission may be examined along with their metadata.

It’s worth noting that the output from the Sandbox Scryer tool can be sent to other tools for additional analysis.

A Free Tool to Advance Threat Hunting

The open-source Sandbox Scryer tool enables security professionals to understand threat attack movement by correlating behavior across multiple threats to understand and improve defenses where coverage gaps exist.  

Cybersecurity professionals interested in threat hunting and attack analysis leveraging sandbox output data can grab the Sandbox Scryer tool from the GitHub repository and start using it as part of their toolset.    

The repository contains additional details on how the tool operates, its source code, test data and corresponding output. Collaboration and feedback is welcome, so please see the tool for contact information on how to get in touch.

Additional Resources

Register Now to Join Us in Las Vegas for Fal.Con 2022

1 September 2022 at 14:39

The countdown has begun! In less than a month, we’ll gather in Las Vegas for Fal.Con 2022, the sixth annual CrowdStrike cybersecurity conference. We’re excited to bring you an event packed with product announcements, keynotes from industry visionaries, deep-dive talks, hands-on workshops and training sessions, special guests and more. 

The past few years have been pivotal for enterprise technology. Organizations have undergone massive digital transformation to power remote employees, driving the proliferation of devices and identities. While this has led to new levels of productivity, it has also created a larger attack surface. Security is key to making your enterprise more resilient, powering the productivity of digital transformation, and protecting your data, workloads and identities from today’s threats.

Fal.Con is where security and technology professionals come together to attend cutting-edge keynotes, develop new skills, network with industry leaders and partners, and tap into the full power of the CrowdStrike ecosystem to better strengthen their defenses.

Here’s What You Need to Know About Fal.Con 2022

Mark your calendars: This year’s event will take place Sept. 19-21 at the Aria Resort & Casino in Las Vegas.

Don’t forget to RSVP: You can register here for Fal.Con 2022. Register today! 

What to expect: The Fal.Con 2022 educational program offers valuable knowledge for security professionals at every level, whether you’re a practitioner working to improve your mastery of the CrowdStrike Falcon® platform or an executive planning to level up your enterprise security strategy. We’re planning more than 100 informative learning sessions, keynotes, panels, training sessions and interactive workshops for this year’s event. These are organized across eight tracks, each of which is a topic essential to the future of enterprise security:

  • Log Management and Observability
  • The Future of Endpoint Security and SecOps
  • Identity Protection
  • Journey to Cloud
  • Security Architecture and Strategy
  • Security Services
  • Threat Intelligence
  • Zero Trust

As a Fal.Con attendee, you’ll have the opportunity to build a conference schedule that suits your needs. Join the keynotes to learn about the next wave of CrowdStrike security innovation that unifies protection across endpoints, cloud workloads, identities and data. Sign up for a workshop to learn new ways of using CrowdStrike technology in today’s rapidly changing threat landscape. Drop in on a breakout session for a technical how-to or business-level discussion — our agenda builder lets you mix-and-match sessions depending on your needs and interests.

We’ll be sharing more updates in the weeks leading up to Fal.Con 2022. In the meantime, here is a sneak peek of what’s in store:

  • 100+ presentations, breakout sessions, keynotes, peer panels and more
  • New product innovations and enhancements 
  • Keynotes from industry visionaries
  • CrowdStrike University Training
  • CrowdStrike Partner Summit
  • Peer-to-peer meet-ups
  • Expert Q&As
  • Executive meetings

Join Us to Strengthen Your Security Strategy

In today’s evolving threat landscape, it’s more important than ever for security professionals to update and strengthen their protection against attackers and bolster their overall cyber defenses. Our sixth annual conference is the must-attend event for the global cybersecurity community, connecting thousands of tech executives and security professionals who share a common goal: to stop breaches. 

We hope to see you in Vegas for this information-packed event — register today and mark your calendars for Fal.Con 2022!

Additional Resources

Consolidated Identity Protection in a Unified Security Platform Is a Must-Have for the Modern SOC

6 September 2022 at 18:52

As cyberattacks continue to grow relentlessly, enterprises have to continue improving their cyber defenses to stay one step ahead of the adversaries. One area that CISOs have recently started paying more attention is identity threat protection. This is not surprising considering 80% of modern attacks are identity-driven leveraging stolen credentials. In fact, identity threat detection and response is highlighted as one of the top trends in cybersecurity in 2022 by Gartner. Their key recommendation includes: “Prioritizing the security of identity infrastructure with tools to monitor identity attack techniques, protect identity and access controls, detect when inclusions are occurring, and enable fast remediation.” 

CISOs have started looking at the most effective and optimal way to address identity threats without overwhelming their security operations center (SOC) with yet another standalone tool that isn’t integrated with the rest of their security stack, causing additional alert fatigue.

One option is to simply settle for identity security features or modules included in enterprise bundles from their identity and access management (IAM) legacy vendors. In a previous post, we examined the pitfalls of this approach including competing interests of the vendor, lack of security focus and risk of vendor lock-in. Essentially, settling for an identity security solution from your identity vendor will lead to poorer security outcomes and increase the risk of breaches.

Point Solutions Are Not the Answer

Another option we examine in this post is a standalone identity security solution that security teams can deploy separately and integrate with their SOC. A web search for “workforce identity protection” or “AD security” yields a number of solutions from various vendors that can potentially fit the bill. They all claim to protect against identity-based threats. Not so fast. Here are a few reasons why point solutions to address identity threats in isolation is a bad idea:

  • Deployment/integration overhead: A separate standalone solution would require you to deploy it and integrate with the rest of the tools in the SOC to get any value out of it. Even with a custom integration, your SOC personnel would still need to deal with multiple disparate consoles to correlate threats across endpoints, identity and workloads.
  • Agent sprawl/maintenance: As every standalone solution has its own agent, you would end up with agent sprawl and consequent maintenance overheads. A multitude of agents from different vendors would slow down performance at best and could interfere with each other at worst. Further, the onus of keeping all the agents up to date across the organization is on you.
  • Lack of correlation: The biggest challenge of this approach is the lack of correlation of threats across endpoints and identity. Your SOC personnel would have to traverse multiple consoles and manually correlate threats across endpoints and identity to detect an attack.
  • Lack of automated responses: While quick and accurate detection are important, what you really need are automated policy-based responses such as blocking the adversary or throwing a multifactor authentication (MFA) challenge. Crafting automated policy-based responses across different products can be a huge challenge. 
  • Slower response: The frustration over manually correlating threats and lack of responses based on automated policies would slow you down when dealing with a real attack. Worse, the fatigue of dealing with multiple alerts from different systems could cause SOC personnel to miss actual threats.

Please note, these challenges apply not just for point solutions but also when vendors like SentinelOne offer identity security capabilities as a disjointed piece of a single, branded platform.

A Unified Security Platform Is the Best Solution

The right way to address these challenges is a unified platform approach that seamlessly integrates telemetry from across customer endpoints, workloads, identities and data to offer accurate detections and real-time protection without overwhelming your SOC personnel.

Here are the key platform differentiators you can expect from the CrowdStrike Falcon Identity Threat Protection™ solution: 

  • Single unified sensor: The same stable and reliable CrowdStrike Falcon® sensor that protects millions of endpoint devices can protect your AD domain controllers as well. It has the intelligence to pull the relevant identity data into the unified Falcon platform, simplifying the deployment architecture. This single-sensor approach not only eliminates deployment overheads and agent sprawl but also ensures easier maintenance.

Figure 1. One Falcon sensor for endpoint and identity protection (Click to enlarge)

  • Single unified platform: The Falcon platform is powered by the CrowdStrike Security Cloud — one of the world’s largest unified, threat-centric data fabrics — that correlates trillions of security events per day with indicators of attack (IOAs), the industry’s leading threat intelligence and enterprise telemetry from across customer endpoints, workloads, identities and data. This holistic platform approach ensures a rapid, cohesive response to threats that is very hard to achieve by cobbling together disparate point solutions.

Figure 2. Falcon platform powered by the CrowdStrike Security Cloud (Click to enlarge)

  • Standard detections interface: The single platform approach ensures your SOC personnel have a unified view of identity threat detections in the Falcon console instead of having to traverse multiple consoles. This familiar interface not only reduces training overheads but would be invaluable in the event of an actual attack, where every second is precious.

Figure 3. The Falcon platform’s standard Detections interface used for identity threat detections (Click to enlarge)

  • Tight correlation across endpoints and identity: Another key benefit of the unified platform approach is that it can apply intelligence to automatically correlate threat data as well as response across endpoints and identity. For example, the Falcon sensor can block the authentication operation from an endpoint that may have been compromised or block an endpoint used by a user that is determined to be risky.
  • Real-time automated response: The platform approach and tight correlation also enables the orchestration of rapid, automatic response to block threats in real time via a flexible policy engine (e.g., a policy that automatically enforces an MFA challenge to the user when the request comes from an unmanaged endpoint like a temporary contractor’s laptop). This type of automation is hard to implement when your endpoint and identity protection solutions are not fully integrated.
  • Fully managed option: While this unified approach significantly simplifies the deployment and operation of your SOC, you may prefer a fully managed offering if you do not have the in-house resources to take on adversaries. CrowdStrike is the only security-focused vendor to offer a fully managed identity threat protection solution that provides expert management, monitoring and remediation to deliver frictionless, real-time identity threat prevention — all backed by an industry-leading Breach Prevention Warranty. 


The importance of this platform approach to take on adversaries is also recognized by analysts. In his recent paper “Identity & Security: Addressing the Modern Threat Landscape,” John Tolbert from KuppingerCole makes the case as to why a unified security and identity approach is necessary to deter malicious actors. Download his white paper to get an analyst’s perspective on why consolidating identity protection into a unified security platform is key.


  1. Gartner, Top Trends in Cybersecurity 2022, Peter Firstbrook, Sam Olyaei, Pete Shoard and others, 18 February 2022.

Disclaimer: GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Additional Resources

  • Learn more about attack techniques leveraging identities at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!  
  • Learn how CrowdStrike Falcon Identity Protection products reduce costs and risks across the enterprise by protecting workforce identities.
  • Watch this video to see how Falcon Identity Threat Protection detects and stops ransomware attacks.
  • Learn how the powerful CrowdStrike Falcon platform provides comprehensive protection across your organization, workers and data, wherever they are located.
  • Get a full-featured free trial of CrowdStrike Falcon Prevent™ and see for yourself how true next-gen AV performs against today’s most sophisticated threats.

2022 Threat Hunting Report: Falcon OverWatch Looks Back to Prepare Defenders for Tomorrow’s Adversaries

13 September 2022 at 20:56

Another turbulent year for cybersecurity finds itself right at home alongside global economic headwinds and geopolitical tensions. This year has been defined by rampant affiliate activity, a seemingly endless stream of new vulnerabilities and exploits, and the widespread abuse of valid credentials. These circumstances have conspired to drive a 50% increase in interactive intrusion activity tracked by CrowdStrike Falcon OverWatch™ threat hunters this year.

The CrowdStrike 2022 Falcon OverWatch Threat Hunting Report examines the trends that dominated the past year, digs deeper into novel and interesting examples of adversary tradecraft, and looks ahead at how and where threats are evolving. 

Defenders can share in the insights derived from the global OverWatch threat hunting program. In this past year alone, OverWatch threat hunters directly identified more than 77,000 potential intrusions, or approximately one potential intrusion every seven minutes. This extensive visibility at the cutting edge of interactive intrusion activity provides an unparalleled look at how adversary tradecraft and tooling are being used today — empowering defenders to stay ahead of the adversaries tomorrow. 

What You’ll Find in This Year’s Report

  • A look at some of the vulnerabilities that made headlines, and evidence of how focusing on patterns of post-exploitation activity provides both proactive and comprehensive coverage against known and unknown vulnerabilities.
  • An exploration of the diversification of affiliate tradecraft, including a comparison of four distinct intrusions all leveraging the Lockbit ransomware-as-a-service model.
  • Insights into adversary tooling with a look at what is trending and what is emerging.
  • An intrusion deep dive that examines a targeted PANDA intrusion against an organization in the technology industry.
  • A look at escalating eCrime threats targeting the healthcare sector and recommended action items for defenders.
  • Details of the re-emergence of ISO files in phishing campaigns as internet-enabled macros begin to be disabled.
  • A look at cloud-based threats, as well as adversaries’ ability to confidently navigate cloud-based assets to advance their intrusions.

In addition to unearthing a record number of interactive intrusions over the course of this year, OverWatch’s research has fed the continual improvement of the CrowdStrike Falcon® platform. The insights drawn from OverWatch’s hunting and deep familiarity with adversary tradecraft have been distilled into hundreds of new behavioral-based preventions, resulting in the direct prevention of over 1 million malicious events by the Falcon platform. OverWatch also closed out this year’s reporting period with five new patents to its name — a recognition of the innovative tooling and technologies that enable hunters to pinpoint adversary activity with speed and at scale.  Finally, OverWatch has introduced Falcon OverWatch Cloud Threat Hunting™, taking the fight to the adversary amid growing evidence that adversaries are actively going after cloud workloads.

In the face of both emerging and enduring threats, OverWatch has continued to raise the bar of what it means to conduct truly proactive human-driven threat hunting operations. 

Download the report

Additional Resources

  • Learn more about hands-on-keyboard threats and the power of human-led threat hunting at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!  
  • Tune in to Twitter Spaces on September 19 at 11:30 a.m. PT / 2:30 p.m. ET to hear from experts live at Fal.Con 2022 as they highlight key takeaways from the report. Listen live here
  • Adversaries never take a break — and neither does the Falcon OverWatch threat hunting team. Join them for a LIVE CrowdCast on October 6 at 11 a.m. PT / 2 p.m. ET as they share new attack trends and tradecrafts from the new report. Register here.  
  • Read the press release announcing the new 2022 Falcon OverWatch Threat Hunting Report.
  • Learn more about the CrowdStrike Falcon platform by visiting the product webpage.
  • Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.

Coming Soon to Las Vegas: Fal.Con 2022 Event Highlights and Special Guests

14 September 2022 at 08:00

The countdown continues! As Fal.Con 2022 quickly approaches, we’re excited to share more information about the security industry visionaries and notable talks on the agenda for the sixth annual CrowdStrike conference for customers and cybersecurity professionals. 

IT and security practitioners must stay a step ahead of adversaries who are constantly evolving their tactics, techniques and procedures to breach organizations. Fal.Con is where they come together to attend cutting-edge keynotes and deep-dive talks, learn new skills in hands-on workshops, build connections with peers across the cybersecurity community, and understand the trends and solutions they need to know to strengthen their organization’s security posture. 

Fal.Con 2022 will take place Sept. 19-21 at the Aria Resort & Casino. If you haven’t yet snagged your spot, you can register for the event here.

Who’s Coming to Fal.Con 2022

On Tuesday, Sept. 20 and Wednesday, Sept. 21, CrowdStrike’s executive team will take the Fal.Con stage to deliver keynotes and discuss the future of security innovation strengthening protection across endpoints, cloud workloads, identities and data — all critical areas for securing the modern enterprise. Special guests will join to discuss topics including leadership, cybersecurity, and why security requires cooperation and partnership between the public and private sectors. 

Our esteemed guest speakers include: 

  • Kemba Walden: The first Principal Deputy National Cyber Director for the White House will join Shawn Henry, President of CrowdStrike Services and CrowdStrike CSO, to dive into a range of topics; namely, how the security industry can work with the government to protect organizations from evolving threats.
  • Kevin Mandia: Mandiant Director and CEO Kevin Mandia will join CrowdStrike co-founder and CEO George Kurtz for a fireside chat to discuss how they’re working together to solve today’s biggest security challenges. 
  • Reshma Saujani: Founder of Girls Who Code and Marshall Plan for Moms Reshma Saujani, who started the educational nonprofit that aims to encourage young women’s participation in computer science, will talk about closing technology’s gender gap and join CrowdStrike Chief Product and Engineering Officer Amol Kulkarni for a Q&A session.

We can’t wait to hear from the speakers in this year’s lineup. But that’s not all — attendees will have the opportunity to create their own conference schedule and attend a variety of informative learning sessions, keynotes, panels, trainings and interactive workshops.   

Session Spotlight: What’s on the Agenda

The Fal.Con 2022 agenda is packed with more than 100 sessions organized into eight tracks, each of which corresponds to a topic that is essential to the future of cybersecurity. Session tracks include Cloud, Endpoint, Security Services, Threat Intelligence, Log Management and Observability, Zero Trust, Identity Protection and Security Architecture. 

Below are a few of the incredible sessions we have lined up — start building your agenda now! 

  • Cloud-Native Application Platform (CNAPP): Bridging the Gap for DevSecOps: As businesses move applications, workloads and data to the cloud, it’s critical they rethink how to protect those resources. Unfortunately, many rush to adopt cloud workload protection without considering the bigger picture of how cloud security controls work together across all layers of the technology stack. As a result, they end up with security controls working in silos, leading to poor visibility and security gaps. This session will discuss a security convergence journey that will affect all aspects of the business.
  • Defeating Fileless Attacks with Memory Scanning: The Latest Threat Research and Protection Innovations: In 2021, 62% of cyberattacks were malware-free. These fileless threats can be carried out entirely in memory, creating a blind spot for threat actors to exploit. CrowdStrike experts will explore the latest fileless attack trends and how to defeat them with new innovations across the CrowdStrike Falcon® platform.
  • Evolving Threats in the Cloud and What They Mean: As organizations move data and infrastructure to the cloud, they open themselves up to new security threats — often without realizing it. This session aims to not only highlight threats in the cloud based on real adversary tactics and attacks, but also provide meaningful ways to address risks.
  • Sharpening the Saw: Endpoint + Identity, Better Together: This talk will showcase why identity is the new frontline of cyber, how malware is increasingly targeting identities, and how sometimes attackers don’t start early in the attack kill chain but rather with lateral movement and compromised credentials. Experts will demonstrate how to reduce time to detect threats with identity, and how to contain the user and endpoint with an endpoint protection platform (EPP) and identity protection (IDP).
  • The Russia-Ukraine Conflict: Insights into the Conflict and CrowdStrike’s Response: This presentation will provide an overview of CrowdStrike’s response to the Russia-Ukraine conflict, a detailed summary of targeting trends throughout the conflict and CrowdStrike’s rapid response to our customers’ dynamic intelligence requirements during this time. CrowdStrike Intelligence delivered relevant and timely analysis for our customers across a broad range of sectors and geographies. This talk will also provide a current and retrospective analysis of the conflict.

More Fal.Con 2022 Event Highlights

In addition to keynotes and learning sessions, Fal.Con 2022 attendees can look forward to CrowdStrike University trainings, during which they can gain new skills and learn to become a CrowdStrike certified professional. We’ll also hold the 2022 Partner Summit, during which executives will provide updates on the partner business and give partnerships an early look at what their partnership will look like in the future. More than 50 CrowdStrike partners exhibiting at Fal.Con 2022 will share their tools and technologies that can enhance your security offerings.

Attendees will also have the chance to explore the Falcon platform with Falcon Encounter, which gives them live access to the Falcon user interface so they can navigate the product and learn more about CrowdStrike’s cloud-delivered solution. There’s no previous product knowledge required — and an encounter to satisfy everyone’s interest and skill level! 

And of course, we can’t forget Fal.Con Fest — an exciting event on Sept. 20 to celebrate CrowdStrike customers and their accomplishments with a memorable celebration that includes music, games, food and drinks. 

Register now to join the excitement and be part of Fal.Con 2022!

Additional Resources

CrowdStrike Partners with MITRE CTID to Identify Adversaries Using Cloud Analytics

13 October 2022 at 13:14
  • Fourteen key cloud analytics for Azure and GCP cloud environments were identified and mapped as indicative of adversary behavior and serve as a blueprint for understanding and writing new cloud analytics.
  • The CrowdStrike Falcon®® platform delivers a powerful combination of agentless capabilities to protect against misconfigurations and control plane attacks, along with agent-based runtime security to proactively secure cloud environments by harmonizing real-time cloud-native events and TTPs to comprehensively detect adversaries.

CrowdStrike is a Research Sponsor in the Cloud Analytics project — a new MITRE Center for Threat-Informed Defense initiative (CTID) to capture key adversarial tactics, techniques and procedures (TTPs) to improve detection of threat actor behavior in cloud environments. CrowdStrike’s work with the CTID lays the groundwork for advancing public cloud security. 

The goal of the project was to map analytics across disparate infrastructures and cloud services to reduce alert noise and quickly identify abnormal and evasive behaviors faster than going through each separate infrastructure. The project uncovered 14 key cloud analytics for Azure and GCP cloud environments mapped to the MITRE ATT&CK® Cloud Matrix and indicative of cloud-specific adversary behavior. 

The CrowdStrike Falcon® platform identifies and protects customers against all adversary tactics uncovered in the project. CrowdStrike delivers comprehensive cloud security by combining agent-based and agentless protection in a single, unified platform experience using machine learning and indicators of attack (IOAs) to observe, detect, remediate and prevent adversarial or anomalous activities.

The results of this research are presented in a blueprint document that maps some of the key cloud analytics and offers best practices and lessons learned. Protectors can use this document as a guide for identifying and mapping cloud analytics in their environments.

Figure 1. The 14 key cloud analytics for Azure and GCP cloud environments identified in the MITRE CTID Cloud Analytics project (source) (click to enlarge)

Detecting Adversaries in the Cloud Is Hard

Detecting adversaries using cloud analytics is hard — because it’s expensive to do it right. You must ingest and store large amounts of log data, you need the right people looking at the data, and you need tooling and time to make the cloud data reveal adversaries without false positives. 

At the same time, adversarial TTPs in the cloud have been evolving rapidly, revealing the critical need for defenders to have both real-time visibility into the cloud control plane and targeted activity analytics to observe, hunt and remediate cloud-based threats. 

The industry is trying to solve cloud security by managing configurations or applying a legacy antivirus mindset to it. Neither will succeed. Comprehensively securing cloud environments requires the powerful combination of agentless capabilities that protect against misconfigurations and control plane attacks, along with agent-based runtime security to protect your workloads.

The growing volume, velocity and variety of cloud logs, coupled with log file-based monitoring, makes it incredibly difficult for analysts to identify adversary behaviors in real time to stop breaches. Adversary breakout time — the time from when an adversary infiltrates a system to when they move laterally across the organization’s network — is now 1 hour and 24 minutes, according to the 2022 Falcon OverWatch Threat Hunting Report, leaving analysts with a short window of opportunity to identify and contain threats to their infrastructure — otherwise the organization could suffer a costly breach if the threat actor is able to move laterally and expand across the cloud estate.

Traditional approaches to cloud security, such as securing the access layer — for example, the cloud access security broker (CASB) — are not enough as adversaries employ a wide range of TTPs. What’s necessary to stop breaches is access to usable, accurate and actionable real-time analytics and cloud controls.

CrowdStrike Leads the Way in Cloud Workload Protection

The CrowdStrike Falcon® platform was born in the cloud with a mission to stop breaches. CrowdStrike understands how to secure cloud environments using cloud-native IOAs to solve the current challenges the industry is experiencing with cloud analytics.

The CrowdStrike Falcon® platform sets the new standard in cloud security. Watch this demo to see the Falcon platform in action.

The Falcon platform can offer behavioral detections by using the power of the CrowdStrike Security Cloud and cloud data analytics to harmonize runtime events and produce cloud analytics indicative of real-time adversary behavior. It correlates new and historical events and malicious indicators, such as suspicious login activity or privilege escalations, to detect adversarial behavioral patterns against end-to-end activity events from the cloud control planes in near real time. 

For example, CrowdStrike’s AWS IAM policy behavior detection monitoring will alert customers when an API call has been made to modify an IAM role policy to allow public access — essentially allowing a public AWS user to inherit the permissions granted by the IAM role. This behavior could be used by an adversary to expand and elevate their access via a user account they already control. 

CrowdStrike’s Automated Cryptocurrency Miner Attack alert monitors for and alerts customers when a rapid series of calls are observed to the EC2 service that often aligns with how adversaries set up miners. This may include EC2 enumeration, VPC creation and instance run commands all executed in quick succession.

The Falcon platform provides visibility into your entire cloud infrastructure, continuous monitoring for misconfigurations, and proactive threat detection — allowing organizations to stop breaches in their tracks with unified visibility, threat detection and continuous monitoring and compliance for multi-cloud environments.

CrowdStrike Falcon® Horizon™ cloud security posture management can look beyond configurations to alert organizations when suspicious activity is detected, such as the rapid sequence of calls that would be used by an attacker launching a scripted mining attack.

Falcon Horizon provides granular policy assessment and visibility to help organizations instantly identify potential exposures, resolve findings, detect and prevent identity-based threats across hybrid and multi-cloud environments and minimize overall risk. CrowdStrike’s expertise in securing cloud infrastructures from sophisticated adversaries demonstrates that we understand what the current industry challenges are and we have addressed them with a clear adversary-focused approach to detecting malicious behavior to stop breaches. 

With the CrowdStrike Falcon® platform, organizations can secure their entire cloud-native stack, on any cloud, across all workloads, containers and applications as it enables them to automate security and detect and stop suspicious activity and risky behavior, to stay ahead of threats and reduce the attack surface.

See for yourself how the industry-leading CrowdStrike Falcon® platform protects your cloud environments. Start your 15-day free trial today.

CrowdStrike is proud to partner with MITRE CTID to advance cybersecurity in the public interest, in particular to help organizations improve visibility and understanding of adversary tradecraft. Past initiatives such as the Top MITRE ATT&CK® Techniques project — which enabled defenders to prioritize and take actions against key TTPs — as well as the recent Cloud Analytics project underline our commitment to leading the way in advancing the state of security so defenders can better secure their infrastructures. 

Additional Resources

October 2022 Patch Tuesday: 13 Critical CVEs, One Actively Exploited Bug, ProxyNotShell Still Unpatched

13 October 2022 at 20:48

Microsoft has released 84 security patches for its October 2022 Patch Tuesday rollout. Of these, 13 vulnerabilities are rated Critical, while the remaining 71 are rated Important. It should be noted that this month’s patching update does not include patches for ProxyNotShell, despite the active exploitation of two related vulnerabilities; CrowdStrike offers recommendations on mitigation until patches are provided. 

Mitigations for ProxyNotShell Vulnerabilities 

Two recently uncovered vulnerabilities — CVE-2022-41040 and CVE-2022-41082 — can be chained together to perform remote code execution (RCE) through PowerShell. By exploiting these vulnerabilities, an attacker could gain privileged access and remotely install the China Chopper webshell. This type of attack targets the Microsoft Exchange Mailbox server, and an attacker could use it to gain access and move laterally into Exchange or Active Directory.

Microsoft’s initial mitigation recommendations were insufficient, as threat researchers showed they can be easily bypassed to allow new attacks exploiting the two bugs. The CrowdStrike Falcon® platform helps protect organizations of all sizes from sophisticated breaches that exploit vulnerabilities by using a defense-in-depth approach to deliver detections and mitigations in real-time. While no patches are yet available, CrowdStrike recommends the following mitigations for these vulnerabilities:

  • For CVE-2022-41040, complete the URL Rewrite Rule mitigation. Exchange administrators need to create a rule that blocks URLs that match the following pattern: .*autodiscover\.json.*Powershell.*. This will prevent known variants of the ProxyNotShell attacks. It is also advised that Condition Input should be changed from {URL} to {UrlDecode:{REQUEST_URI}} to ensure all encoded variations are evaluated before being blocked.
      • CrowdStrike customers with Exchange Emergency Mitigation Service (EEMS) enabled benefit automatically from the updated URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. A complete guide on mitigations for reported zero-day vulnerabilities in Microsoft Exchange Server is available from Microsoft.
  • For CVE-2022-41082, disable remote PowerShell for non-admins. CrowdStrike Falcon®® platform customers should disable remote PowerShell access for non-admin users in your organization (as a best practice, CrowdStrike recommends doing this anyway for non-admin users).

CrowdStrike Falcon® Intelligence™ customers can view a complete technical write-up, attribution and targeting information within the Falcon platform: CSA-221036.

October 2022 Risk Analysis

This month’s leading risk type is elevation of privilege (46%), followed by remote code execution at nearly 24% and information disclosure at 13%. The October 2022 Patch Tuesday release includes patches for 11 information-disclosure vulnerabilities, including one publicly known that affects MS Office products.

Figure 1. Breakdown of October 2022 Patch Tuesday attack types

The Microsoft Windows product family received the most patches this month with 67, followed by Extended Support Updates (44) and Microsoft Office products (9). Also covered in the update is CVE-2022-41033, an elevation of privilege zero-day vulnerability being used in active attacks that affects Windows COM+ Event System Service and is rated as Important with a CVSS of 7.8.

Figure 2. Breakdown of product families affected by October 2022 Patch Tuesday

CVE-2022-41033 is typically paired with other code execution exploits designed to take over a system. This type of attack often involves some form of social engineering, such as enticing a user to open an attachment or go to a malicious website. As shown in Figure 3, this CVE is ranked as Important. Another Important vulnerability affects Active Directory Domain Services and could allow an attacker to get domain administrator privileges, but Microsoft has not provided any details on how that would occur.

Rank CVSS Score CVE Description
Important 7.8 CVE-2022-41033 Windows COM+ Event System Service Elevation of Privilege Vulnerability
Important 7.1 CVE-2022-38042 Active Directory Domain Services Elevation of Privilege Vulnerability

Figure 3. Zero-day vulnerability and AD vulnerability patched in October 2022

CVE-2022-37976, a Critical Active Directory Certificate Services (ADCS) vulnerability, definitely stands out as a CVE to prioritize. If successfully exploited, it provides the attacker with domain administrative privileges. However, exploiting this vulnerability is not easy. A malicious DCOM client would need to trick a DCOM server to authenticate to it through ADCS and then use the credential to launch a cross-protocol attack.

Rank CVSS Score CVE Description
Critical 8.8 CVE-2022-37976 Active Directory Certificate Services Elevation of Privilege Vulnerability

Figure 4. Critical vulnerability patched in October 2022

Critical Vulnerabilities in Microsoft Office and Azure Arc

Azure Arc is getting a patch for Critical vulnerability CVE-2022-37968, with a perfect CVSS of 10. Azure Arc-enabled Kubernetes allows you to attach and configure Kubernetes clusters running anywhere. As per the Microsoft Security Response Center (MSRC), an attacker that knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster can exploit this vulnerability from the internet, affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. Keep in mind that auto-upgrade is enabled by default for CrowdStrike customers using Azure Arc; however, if you manually control your updates, action is required to upgrade to the latest version. 

CVE-2022-38048, a Microsoft Office RCE vulnerability, is a Critical bug with a CVSS of 7.8. Most Office vulnerabilities are rated Important since they involve user interaction — typically opening a file. An exception is when the Preview Pane is an attack vector, but Microsoft states it isn’t the case here. The rating is likely the result of the lack of warning dialogs when opening a specially crafted file. Either way, this is a use-after-free (UAF) vulnerability that could lead to passing an arbitrary pointer to a free call, making further memory corruption possible.

Rank CVSS Score CVE Description
Critical 10 CVE-2022-37968 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
Critical 7.8 CVE-2022-38048 Microsoft Office Remote Code Execution Vulnerability

Figure 5. Critical vulnerabilities in Azure Arc and MS Office

Critical Vulnerabilities Affecting Microsoft Word and PPTP 

CVE-2022-41031, a Critical vulnerability affecting Microsoft Word, is getting a patch this month. In this particular case, the Preview Pane is not an attack vector. The remaining Critical vulnerabilities affect Windows Point-to-Point Tunneling Protocol. If you’re still using it, consider migrating to a more modern (and secure) solution. To exploit these vulnerabilities, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side.

Rank CVSS Score CVE Description
Critical 8.1 CVE-2022-30198 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-24504 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-33634 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-22035 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-38047 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-38000 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-41081 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Critical 7.8 CVE-2022-41031 Microsoft Word Remote Code Execution Vulnerability

Figure 6. Critical vulnerabilities in MS Word and PPTP

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon® platform collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

This video on Falcon Spotlight™ vulnerability management shows how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization. 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

The Anatomy of Wiper Malware, Part 4: Less Common “Helper” Techniques

14 October 2022 at 13:31

This is the fourth blog post in a four-part series. Read Part 1 | Part 2 | Part 3.

In Part 3, CrowdStrike’s Endpoint Protection Content Research Team covered the finer points of Input/Output Control (IOCTL) usage by various wipers. The fourth and final part of the wiper series covers some of the rarely used “helper” techniques implemented by wipers, which achieve secondary goals or facilitate a smaller portion of the wiping process.

Delete Volume Shadow Copies 

During ransomware attacks, many ransomware families will attempt to delete the shadow copies of the Windows OS. Out of all of the analyzed wiper families, only Meteor (with its Stardust/Comet variants) deletes shadow copies by either using Windows Management Instrumentation command-line utility wmic.exe or by calling the native Volume Shadow Copy Service Admin tool vssadmin.exe.

C:\Windows\Sysnative\wbem\wmic.exe shadowcopy delete

C:\Windows\Sysnative\vssadmin.exe delete shadows /all /quiet

In the case of families that use a third-party driver to wipe the sectors, it does not make sense to delete the VSS because their corresponding sectors will be wiped by the driver, rendering volume shadow copies unusable. 

An interesting approach seen in DriveSlayer is that it only disables the VSS service and doesn’t attempt to delete the snapshots. In order to stop the service, the wiper will open a handle to the Service Control Manager via OpenSCManager, grab a handle to the VSS service via OpenService, and make use of ChangeServiceConfig to disable the service and ControlService to stop it.

Figure 1. DriveSlayer disabling VSS service

Fill Empty Space

The IsaacWiper wiper creates a thread that tries to fill the unallocated space of the disk with random data in order to make recovery even more unlikely.

Figure 2. IsaacWiper pseudocode responsible for filling the empty space of the volume

This technique is implemented by first obtaining the amount of space available for a volume, using GetDiskFreeSpaceExW, and then creating a temporary file that grows in size until the disk is filled. The temporary file is filled with random data, written in blocks of size 0x1000.

Boot Configuration

Similar to a ransomware attack, Meteor wiper (with its Stardust/Comet variants) makes the operating system unbootable by changing the boot configuration of the infected machine. This can be done by either corrupting the system’s boot.ini file, or by using a series of bcdedit commands. The first one is used to identify configurations, while the latter is used to delete a specific entry.

C:\Windows\Sysnative\bcdedit.exe -v

C:\Windows\Sysnative\bcdedit.exe /delete {GUIDIDENTIFIER}  /f

Figure 3. Example of the how boot menu entries can be deleted using bcdedit

Active Directory Interaction

To keep the network online, the CaddyWiper and DoubleZero wiper families ensure that they do not run on a domain controller. In the code snippet below, CaddyWiper uses the DsRoleGetPrimaryDomainInformation API to determine if the victim machine is not a primary domain controller.

Figure 4. Determine if the machine is a domain controller via the DsRoleGetPrimaryDomainInformation API

However, Meteor wiper (and its Stardust/Comet variants) implements a different mechanism when interacting with the domain controller. This wiper unjoins the workstation from the domain using either a call to NetUnjoinDomain or using the following wmic command:

C:\Windows\System32\cmd.exe /c wmic computersystem where name="%computername%" call unjoindomainorworkgroup


Some malware authors choose not to implement an actual wiper module and instead use the default OS functionalities, accessible via a BAT file. For example, Apostle is dropping and executing the following script:

@echo off
del %systemdrive%\*.*/f/s/q
%windir%\system32\rundll32.exe advapi32.dll,ProcessIdleTasks
del %0

This script tries to recursively delete the files in system drive, then instructs Windows to process idle tasks, and finally issuing a self-delete command.

The Olympic wiper is one of the simplest samples we analyzed. It only used batch commands to achieve its goals. It deletes several extensions from the user directories, with each extension being deleted by its own “cmd.exe” process.

C:\Windows\system32\cmd.exe /c del /S /Q *.doc c:\users\%username%\ >  nul
C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nul
C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nul
C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ >  nul
C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul
C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul
C:\Windows\system32\cmd.exe /c del /S /Q *.pdf c:\users\%username%\ >  nul
C:\Windows\system32\cmd.exe /c del /S /Q *.csv c:\users\%username%\ >  nul
C:\Windows\system32\cmd.exe /c del /S /Q *.xls c:\users\%username%\ >  nul
C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nul
C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nul
C:\Windows\system32\cmd.exe /c del /S /Q *.ppt c:\users\%username%\ >  nul
C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nul
C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nul
C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nul
C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nul
C:\Windows\system32\cmd.exe /c del /S /Q *.jtd c:\users\%username%\ >  nul
C:\Windows\system32\cmd.exe /c del /S /Q *.jtt c:\users\%username%\ >  nul
C:\Windows\system32\cmd.exe /c del /S /Q *.txt c:\users\%username%\ >  nul
C:\Windows\system32\cmd.exe /c del /S /Q *.exe c:\users\%username%\ >  nul
C:\Windows\system32\cmd.exe /c del /S /Q *.log c:\users\%username%\ >  nul


After wiping the disk and files, some wipers will forcly reboot or shutdown the machine. Families like Apostle, DoubleZero, Destover, KillDisk and StoneDrill use the ExitWindowsEx API to reboot the system. The arguments of the API vary across wipers, but in the end the reboot/shutdown will cause the OS to not load.

Figure 5. Acquire shutdown privilege and shut down the machine seen in KillDisk

The Petya wiper variant implements a different approach, calling NtRaiseHardError instead of ExitWindowsEx.

Figure 6. Forcing operating system reboot by calling NtRaiseHardError with the 0xC0000350 error status

DriveSlayer is attempting to reboot the machine after a period of time. The wiper has a predefined value set for the Sleep call, but that can be changed by using command line arguments of the process. The reboot is achieved by calling InitiateSystemShutdownEx API with the following reasons/arguments: SHTDN_REASON_FLAG_PLANNED, SHTDN_REASON_MAJOR_OPERATINGSYSTEM, SHTDN_REASON_MINOR_INSTALLATION and SHTDN_REASON_MINOR_HOTFIX.

Figure 7. Another API used to reboot/shutdown the infected machine

Disable Crash Dumps

DriveSlayer is the only wiper that disables crash dumps from being generated by the operating system. These may provide additional information to a potential researcher in case the machine crashes due to a bug in the driver or malware.

To disable this feature, the wiper changes the following registry key value to 0x0 via the RegOpenKey and RegSetValue APIs:


Wiper, Ransomware or Both

Some malware authors decide to use the same source code to transition their malware from ransomware to wiper or vice versa. Another approach seen in the analyzed samples is to generate different variants of the malware, by improving the wiper, and/or fixing errors in the execution flow. There are a few approaches seen in the analyzed samples:

  • Apostle evolved from a wiper to ransomware, fixing bugs in the code and adding extra functionalities like changing background, dropping ransom notes, etc.
  • Petya generated a wiper variant from the known ransomware.
  • Meteor and KillDisk implement variations of the same code, but don’t change the scope of the malware.
  • Ordinypt masquerades as ransomware, deleting the files, replacing them with dummy ones and dropping a ransom note on the disk. However, the wiper has a logical bug that writes and then deletes its own ransom notes several times (as shown in Figure 8).

Figure 8. Screenshot demonstrating how Ordinypt wiper accidentally deletes its own ransom notes

Registry Wiping and Deletion

DoubleZero was the only analyzed sample that implemented a mechanism in which each registry value is set to 0x00 or empty string, followed by a deletion of the subkey tree via Windows APIs.

Figure 9. DoubleZero overwrites the registry keys


Over the last 10 years, the security industry has seen the use of wipers grow in popularity, notably for sabotage attacks (as illustrated by their use to target Ukraine in the spring of 2022). Although wipers share many features with ransomware, they differ in their ultimate objective. Rather than pursuit of financial gain, the objective of wipers is to destroy data beyond recoverability.

There are multiple ways wipers can achieve their goal, land wiper developers need to make a trade-off between speed and effectiveness when deleting data — the faster techniques may allow for data to be recovered, while the slower ones may allow the victim to intervene and stop the deletion process. Cybersecurity professionals can use different countermeasures and tools in order to recover the lost data. This has motivated wiper developers to increase effectiveness by overwriting files as well as raw disk sectors, in order to decrease recoverability options as much as possible. 

Over the years, wipers have not increased in complexity — instead, some only delete the user files and volume shadow copies, with the more advanced ones using legitimate kernel driver implants on the victim’s machine in order to proxy the entire wiping activity through them and to remain as undetectable as possible. Often, the final nail in the coffin is achieved by force rebooting the machine, combined with other techniques that completely eliminate any recovery options.

We have summarized the complex combinations of techniques observed across wiper families in the following table.

File Discovery All samples
File Overwrite / File System API CaddyWiper, DoubleZero, IsaacWiper, KillDisk, Meteor, Petya wiper, Shamoon, SQLShred, StoneDrill, and WhisperGate, Destover
File Overwrite / File IOCTL DoubleZero
File Overwrite / File Deletion Ordinypt, Olympic wiper and Apostle, Destover, KillDisk, Meteor, Shamoon, SQLShred, and StoneDrill
Drive Destruction / Disk Write IsaacWiper, KillDisk, Petya wiper variant, SQLShred, StoneDrill, WhisperGate, and DriveSlayer
Drive Destruction / Disk Drive IOCTL CaddyWiper
File contents / Overwrite with Same Byte Value CaddyWiper, DoubleZero, KillDisk, Meteor, and SQLShred
File contents / Overwrite with Random Bytes Destover, IsaacWiper, KillDisk, SQLShred and StoneDrill
File contents / Overwrite with Predefined Data Shamoon, IsraBye
Third Party Drivers / ElRawDisk Driver Destover, ZeroCleare, Dustman and Shamoon
Third Party Drivers / EPMNTDRV Driver DriveSlayer
IOCTL / Acquiring Information IsaacWiper, Petya wiper variant, Dustman or ZeroCleare
IOCTL / Volume Unmounting DriveSlayer, Petya, StoneDrill
IOCTL / Destroying All Disk Contents SQLShred
IOCTL / Overwriting Disk Clusters DriveSlayer
IOCTL / Data Fragmentation DriveSlayer
IOCTL / File Type Determination SQLShred
IOCTL / File Iteration DriveSlayer
Misc / Volume Shadow Copies Deletion Meteor
Misc / Fill Empty Space IsaacWiper
Misc / Boot Configuration Meteor
Misc / Active Directory Interaction CaddyWiper, DoubleZero, Meteor
Misc / Scripts Apostle, Olympic wiper
Misc / Reboot Apostle, DoubleZero, Destover, KillDisk, StoneDrill, Petya wiper, DriveSlayer
Misc / Disable Crash Dumps DriveSlayer
Misc / Wiper, Ransomware or Both Apostle, Petya, Meteor and KillDisk, Ordinypt
Misc / Registry Wiping and Deletion DoubleZero

How the Falcon Platform Offers Continuous Monitoring and Visibility

The CrowdStrike Falcon®® platform takes a layered approach to protecting workloads. Using on-sensor and cloud-based machine learning, behavior-based detection using indicators of attack (IOAs), and intelligence related to tactics, techniques and procedures (TTPs) employed by threat actors, the Falcon platform equips users with visibility, threat detection, automated protection and continuous monitoring for any environment, reducing the time to detect and mitigate threats.

The CrowdStrike Falcon® platform sets the new standard in cybersecurity. Watch this demo to see the Falcon platform in action.

Figure 10. Falcon UI screenshot showcasing detection of KillDisk by the Falcon sensor

Figure 11. Falcon UI screenshot showcasing detection of Olympic Wiper by the Falcon sensor

See for yourself how the industry-leading CrowdStrike Falcon® platform protects against modern threats like wipers and ransomware. Start your 15-day free trial today.


Wiper Name SHA256 Hash Value
Apostle 6fb07a9855edc862e59145aed973de9d459a6f45f17a8e779b95d4c55502dcce
CaddyWiper a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea
Destover e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a
DoubleZero 3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe
DriveSlayer 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
Dustman f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7
IsaacWiper 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033
IsraBye 5a209e40e0659b40d3d20899c00757fa33dc00ddcac38a3c8df004ab9051de0d
KillDisk 8a81a1d0fae933862b51f63064069aa5af3854763f5edc29c997964de5e284e5
Meteor and Comet/Stardust 2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b
Ordinypt ​​085256b114079911b64f5826165f85a28a2a4ddc2ce0d935fa8545651ce5ab09
Petya 0f732bc1ed57a052fecd19ad98428eb8cc42e6a53af86d465b004994342a2366
Shamoon e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a
SQLShred/Agrius 18c92f23b646eb85d67a890296000212091f930b1fe9e92033f123be3581a90f
StoneDrill 62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260
Tokyo Olympic wiper fb80dab592c5b2a1dcaaf69981c6d4ee7dbf6c1f25247e2ab648d4d0dc115a97
WhisperGate a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
ZeroCleare becb74a8a71a324c78625aa589e77631633d0f15af1473dfe34eca06e7ec6b86

Additional Resources

Do You Know Who’s in Your Cloud? Preventing Identity-Based Threats with CIEM

18 October 2022 at 17:02

As organizations continue to shift to multi-cloud environments and increasingly use cloud services for application development, new challenges emerge that require dramatic changes in the delivery and practice of cybersecurity. 

Notably, Gartner predicts that inadequate management of identities, access and privileges will cause 75% of cloud security failures by 2023.1 Though public cloud service providers are working to minimize vulnerabilities and strengthen defenses against cloud threats, the customer is ultimately responsible for securing identities and data.

Here lie the challenges for security teams: Cloud-native apps are difficult to secure without a complex set of overlapping tools spanning the development lifecycle, and fragmented cloud security approaches and tools increase complexity, costs and the likelihood of misconfigurations that can lead to breaches. DevSecOps teams often struggle to coordinate the use of these disparate security tools, resulting in blind spots and a limited view of cyber risk.

Identities Are the New Security Perimeter

As the state of cloud infrastructure and use of different architectures constantly evolve, figuring out what or who is in your environment while establishing a baseline for what normal looks like can seem an impossible task. Identity and access management (IAM) for cloud infrastructure is intended to control how cloud identities take action on specific resources, but defining roles and permissions using the principles of least privilege is challenging in hybrid environments. 

Key challenges include:

  • The overwhelming number of machine identities, which outnumber human identities, leading to thousands of identities and resources to manage.
  • Limited visibility and inconsistent entitlements across complex hybrid and multi-cloud environments make enforcing least-privileged access difficult.
  • Unique IAM policy models and taxonomy across public cloud service providers (CSPs).

Traditional approaches to preventing identity-based threats fail to address the cloud’s unique security challenges due to its ephemeral nature. To practice Zero Trust and the principle of least privilege in the cloud, compliance and security teams need cloud infrastructure entitlement management (CIEM) capabilities to help continuously enforce policies and monitor and maintain your identity security posture across cloud accounts and resources.

The CrowdStrike Falcon® platform sets the new standard in cloud security and identity protection. Watch this demo to see the Falcon platform in action.

CrowdStrike Introduces CIEM for AWS and Azure to Address New Requirements for Securing Identities Across Hybrid Environments

CrowdStrike Falcon® Horizon™, CrowdStrike’s market-leading cloud security posture management (CSPM) solution, now provides integrated CIEM capabilities that deliver a single-source-of-truth for monitoring, discovering and securing identities across multi-cloud environments in a single platform. Security and identity teams can prevent identity-based threats resulting from improperly configured cloud entitlements across AWS and Azure. Uniquely, as part of CrowdStrike’s broader CNAPP offering, we deliver comprehensive cloud security, combining agent-based and agentless protection in a single, unified platform experience.

With Falcon Horizon you gain access to the full inventory of permissions, detect overly permissive accounts, continuously monitor activity and ensure least privilege enforcement.

(Click to enlarge)

What’s New

Falcon Horizon now enables you to:

Unify visibility and least-privilege enforcement in public and multi-cloud environments 

  • Access a single source of truth: Get up and running in minutes and access a single dashboard for all cloud assets, identities and security configurations.
  • Simplify privileged access management and policy enforcement: Manage and enforce identities and permissions across AWS and Azure.
  • Identify and investigate cloud entitlements: Detect risky permissions, and remove unwanted access to cloud resources including identity misconfigurations and cloud entitlements to achieve least-privilege. 

Continuously detect and remediate identity-based threats in public and multi-cloud environments 

  • Prevent identity-based threats at scale: Secure cloud identities and permissions, detect account compromises, prevent identity misconfigurations, stolen access keys, insider threats and malicious activity. 
  • Secure Azure Active Directory: Ensure Azure AD groups, users and apps have the correct permissions using new Identity Analyzer reports.
  • One-click remediation testing: Simulate remediation tactics to understand outcomes and ensure confidence by performing a dry run prior to deployment.

Stop the most sophisticated attacks across hybrid environments

  • Predict and prevent modern threats: Ensure real-time cloud workload protection via CrowdStrike Threat Graph®, which provides full visibility of attacks and automatically prevents threats in real time for any hybrid environment across CrowdStrike’s global customer base.
  • Access enriched threat intelligence to supercharge investigations: Get deeper context for faster investigation and more effective response for cloud-based attacks with a visual representation of relationships across account roles, workloads and APIs. 
  • Accelerate response: Arm your responders in real time via the Falcon platform, empowering incident responders to focus on what matters most, understand threats and act decisively to stop cloud breaches.

Get rich cloud asset visualization powered by CrowdStrike Asset Graph

  • See and secure cloud identities and entitlements: Gain complete visibility into cloud resources, and understand the relationships between access and permissions automatically. 
  • Optimize cloud implementations: Perform real-time point queries for rapid response, as well as broader analytical queries for asset management and security posture optimization. 
  • Mitigate risks across the attack surface: Get 360-degree visibility into your organization’s assets and their interdependencies across hosts, configurations, identities and applications.

See for yourself how the industry-leading CrowdStrike Falcon® platform protects your cloud environments. Start your 15-day free trial today.

Additional Resources


  • Gartner, Managing Privileged Access in Cloud Infrastructure, Paul Mezzera, Refreshed December 7, 2021, Published June 9, 2020. (GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.)

Why Your Small Business Needs to Rethink Its Cybersecurity Strategy

18 October 2022 at 19:49

Cybercrime is a big problem for small businesses, and the risk of advanced threats continues to grow. This Cybersecurity Awareness Month, learn how to protect your SMB or nonprofit from attacks that threaten the business. 

The cybersecurity threat to small- and medium-sized businesses (SMBs) continues to grow as cybercriminals recognize how vulnerable they can be, and the potential value of the data they have. Today’s attackers have their sights set on SMBs and nonprofit organizations — and the consequences can be devastating as the cost of these incidents rises into the millions. The proof is in the numbers: 

It’s time for SMBs to rethink and upgrade their security strategies to defend against today’s threats. These organizations often lack a dedicated cybersecurity team, as well as the modern security technology, skills and resources needed to defend against advanced threats. This is a growing concern because SMBs hold sensitive and valuable data: employee and customer records, intellectual property, financial transaction data, and access to business finances and larger networks are all essential to their success.  

October is Cybersecurity Awareness Month. This year’s theme is “See Yourself in Cyber,” a reminder that everyone has a part to play in keeping organizations safe from security threats.  While security can be a challenge for small businesses, CrowdStrike is ready to help with industry-leading products built to accelerate your SMB’s cybersecurity strategy: In an upcoming webinar, we’ll explore the many ways small businesses can strengthen their security posture with limited resources.

Legacy Tech Is No Match for Modern Attackers

Many small businesses and nonprofits are aware of cybersecurity risks and have installed antivirus tools to keep cybercriminals at bay. Unfortunately, these products are no match for human-engineered threats such as social attacks, in which a target is manipulated into giving the attacker what they want, or identity-based attacks in which intruders use stolen identity and account information to access systems and resources while appearing as legitimate users. 

The 2022 Falcon OverWatch Threat Hunting Report found 71% of breaches were malware-free, underscoring the prevalence of these more subtle attacks and cybercriminals’ growing preference for techniques that evade antivirus software products. Once they have a foothold in your environment, attackers can then move throughout your organization to compromise additional systems, exfiltrate data, launch a ransomware attack or take other nefarious actions. This is possible with the use of legitimate employee credentials or exploits for unpatched vulnerabilities.

Here are a few best practices that can fortify your security defenses: 

  • Enforce multifactor authentication (MFA): As identity becomes a critical component to cyberattacks, MFA provides an extra layer of defense so you can be sure it’s an employee, and not an attacker, gaining access to systems and resources. 
  • Perform regular backups of critical data: If a breach hits your small business, you’ll be glad you backed up your data either on-premises or in the cloud. It’s worth noting an attacker may encrypt backups if they gain access to your systems, so it’s critical to create a strong defense. 
  • Keep up with software patches: Data breaches often start when an attacker exploits an unpatched vulnerability. Keeping software up-to-date ensures this vector is blocked. The US Cybersecurity and Infrastructure Security Agency has an updated list of known exploited security flaws
  • Invest in stronger cybersecurity protection: A smaller employee headcount shouldn’t put your business at greater risk of cyberattack, and small businesses don’t have to face big threats alone. Now through the end of October 2022, you can save big on select CrowdStrike products and services. Register for our webinar, “Major Protection for Your Small Business,” to unlock enterprise level-protection and support at a price your SMB can afford. 

Cybersecurity is a big challenge for SMBs, but it is possible to build a strong security posture at a reasonable cost. Rethinking your security strategy and upgrading your defenses now can make a tremendous difference in getting through a cyberattack if disaster strikes.

The CrowdStrike Falcon® platform sets the new standard in cybersecurity for SMBs. Watch this demo to see the Falcon platform in action.

Additional Resources

CrowdStrike’s Cloud Security and Observability Capabilities to Be Showcased at KubeCon + CloudNativeCon North America 2022

19 October 2022 at 20:22

KubeCon + CloudNativeCon North America 2022 is happening next week, and we’re excited to showcase our industry leading cloud-native application protection platform (CNAPP) capabilities and observability technology. The conference, Oct. 24-28 in Detroit, will gather adopters, technologists and developers from leading open-source and cloud-native communities around the globe.   

CrowdStrike CNAPP Capabilities on Display

The CrowdStrike Falcon® platform enables developers to build safely and deploy apps faster with DevOps-ready security. Our unique approach combines agent-based and agentless application security, which includes cloud workload protection (CWP), cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM), as part of our comprehensive CNAPP capabilities. It protects workloads, such as containers and Kubernetes during production and runtime, while enabling DevOps to automatically assess risk, resolve violations and automate security posture. 

The CrowdStrike Falcon platform sets the new standard in cloud security. Watch this demo to see the Falcon platform in action.

CrowdStrike’s CNAPP capabilities reduce the attack surface and ensures that only secure apps make it to production. It integrates directly into existing developer and cloud-native tools, turning DevOps into a security force multiplier, while improving application security and compliance, and extending runtime protection. The solution also offers DevSecOps observability to investigate threats by combining hundreds of thousands of log data with intelligence, to deliver actionable insights and minimizing alert fatigue. 

Security for a long time has been perceived as a roadblock that slows the process of production and delivery of applications. Yet, experts share that when security is properly integrated into the CI/CD pipeline, it actually expedites the process by minimizing test failures and expediting delivery.  

Key CNAPP features we’ll highlight at the conference: 

  • Automated remediation workflow, providing the security context and response actions needed to fix critical issues faster with both guided and automated remediation.
  • Image registry scanning, enabling the identification of hidden threats, embedded secrets and configuration issues to reduce the attack surface and secure CI/CD pipelines.
  • Software composition analysis, improving application security and compliance by detecting and remediating vulnerabilities in open-source components in the application codebase.

See for yourself how the industry-leading CrowdStrike Falcon platform secures applications, workloads and cloud environments, enabling faster and more efficient app delivery and runtime. Schedule a demo today

Converging Security and Observability

We’ll also be showcasing CrowdStrike Falcon LogScale™, our centralized observability and log management technology. Falcon LogScale, previously known as Humio, allows organizations to make data-driven decisions about the performance, security and resiliency of their IT environment. As the most scalable log management platform on the planet, Falcon LogScale enhances observability for all log and event data by making it fast and easy to explore critical log information, eliminate blind spots and find the root cause of any incident. We’re also a proud sponsor of the OpenTelemetry community’s unconference — a one-day, co-located event the day before KubeCon starts.

Falcon LogScale streamlines IT operations by ingesting, analyzing and retaining all log and event data at petabyte scale. The technology minimizes the computing and storage resources required to ingest, search, transform and retain log data. As a result, Falcon LogScale offers a low total cost of ownership while allowing organizations to eliminate IT system blind spots and identify potential threats with sub-second search latency.

See You Next Week at KubeCon 2022

If you’re obsessed with DevOps, speed, agility and application security, and want to build and showcase reliable, secure and safe apps, we invite you to visit our booths. We’ll show you how CrowdStrike can help you secure your apps and infrastructure from build to delivery to runtime, without disrupting your workflow. 

Find us at booths #G18 (Cloud Security) and #S111 (Falcon LogScale). We look forward to meeting you there!

Additional Resources

CrowdStrike and Google Chrome: Building an Integrated Ecosystem to Secure Your Enterprise Using the Power of Log Management

20 October 2022 at 08:33

Organizations today face an onslaught of attacks across devices, identity and cloud workloads. The more security telemetry an organization has to work with, the better threat hunters can contextualize events to find and remediate potential threats.

Google recently announced Chrome Enterprise Connectors Framework, a collection of plug-and-play integrations with industry-leading security solution providers. The framework includes three categories: 

  1. Identity and Access
  2. Endpoint Management
  3. Security Insights and Reporting

CrowdStrike is pleased to announce that we’ve been included as a Chrome Enterprise Recommended Partner that will contribute to this framework. As a first step, we’ve developed an integration for the Security Insights and Reporting category to help customers derive even more value from the CrowdStrike Falcon® platform. 

The integration leverages our centralized log management and observability solution, CrowdStrike Falcon LogScale. Formerly known as Humio, Falcon LogScale is a CrowdStrike module that allows organizations to ingest, search, transform and retain all of their log data. ​​Built using a unique index-free architecture and advanced compression technology that minimizes hardware requirements, Falcon LogScale enables DevOps, ITOps and SecOps teams to aggregate, correlate and search live log data with sub-second latency — all at a lower total cost of ownership than legacy platforms.

Innovation via Collaboration

CrowdStrike and Google have a rich history of collaboration, including last year’s Google Work Safer program to bolster security for hybrid and remote workers. With this latest collaboration, organizations can get additional visibility into managed Chrome Enterprise browsers and devices using Falcon LogScale and Google’s Chrome Enterprise Connector Framework. 

This integration provides joint customers: 

  • The ability to correlate Chrome security events with CrowdStrike Falcon Host and Intelligence data in Falcon LogScale for enhanced threat hunting.
  • A pathway to easily port Managed Chrome browser and ChromeOS security events into the CrowdStrike Security Cloud for added threat context.
  • Automated notifications and remediations using Falcon LogScale’s built-in actions such as webhooks enabling security operations and incident response functions.
  • Enhanced security in certain instances that previously weren’t protected or CrowdStrike Falcon agents weren’t deployed.

Get Started with the Integration

To take advantage of the integration, organizations will need a cloud-managed Chrome browser or Chrome device and connect the data feed to Falcon LogScale’s HEC endpoint API.

If you’re a Falcon LogScale customer, this integration provides even more security telemetry for you to correlate with other data sources. After all, the more context you can add to potential security incidents, the better your investigations and threat hunts. 

Additional Resources 

Playing Hide-and-Seek with Ransomware, Part 2

21 October 2022 at 11:21

In Part 1, we explained what Intel SGX enclaves are and how they benefit ransomware authors. In Part 2, we explore a hypothetical step-by-step implementation and outline the limitations of this method.

Watch this live attack demo to see how the CrowdStrike Falcon® platform and the CrowdStrike Falcon Complete™ managed detection and response team protect against ransomware. 


In this section, we build out a step-by-step example of a ransomware that uses enclaves for asymmetric encryption. The ransomware is divided into two parts:

  • The enclave, which is in charge of cryptographic operations, such as keys generation
  • The untrusted area, where the regular core of the application is responsible for the enclave load, file opening and writing operations

Extracts of code presented here will be coming from the regular core of the application (main.c) or from the enclave (enclave.c). The enclave will generate a pair of RSA keys, seal the private key and encrypt the victim’s data inside the enclave using the Intel SGX API. Let’s take a look at how this is done and how the core of the application interacts with the enclave.


First, the regular core of the application initializes the resources required for the ransomware execution, including creating and setting up the enclave. To load the enclave, we use the function sgx_create_enclave(), from sgx_urts.lib.1 The function prototype is:

sgx_status_t sgx_create_enclave (
                        const char *file_name, const int debug,
                        sgx_launch_token_t *launch_token,
                        int *launch_token_updated,
                        sgx_enclave_id_t *enclave_id,
                        sgx_misc_attribute_t *misc_attr 

Arguments of this function represent some of the enclave attributes, such as the compilation mode or information about previous loads. For instance, sgx_launch_token_t is an opaque structure that represents the enclave launch token. The token information holds information about the enclave throughout its execution and can be saved to facilitate future loads of the enclave.

Figure 1. Extract of code creating the enclave (Click to enlarge)

Once the enclave is loaded, the regular core of the application can execute an ECALL to start the key generation process. 

Key Generation

Inside the enclave, the key generation is based on the Intel SGX SDK dubbed sgx_tcrypto.lib. This is a documented API that can be directly called from the enclave. Under the hood, the API is based on other cryptographic libraries developed by Intel: the Integrated Performance Primitives (Intel® IPP) and the Intel® Software Guard Extensions SSL cryptographic library (Intel® SGX SSL),2 both of which are based on OpenSSL. 

The first step in this process is to generate RSA components for the private and the public keys from the enclave using the function sgx_create_rsa_key_pair(). This is a preliminary call, performed prior to the function calls that create keys, used in order to generate components that comply with the predefined RSA key modulus size and public exponent.

Figure 2. Extract of code generating the RSA keys components (Click to enlarge)

From these RSA key components, we use the function sgx_create_rsa_pub1_key() to generate the RSA public key that will be used to encrypt the victim’s files.

Figure 3. Extract of code creating the RSA public key (Click to enlarge)

Sealing the Private Key

The next logical step-up would typically be to generate the private key, as we did with  the public key. In this case, however, we don’t yet need the private key, as the private key will only be used for deciphering purposes, should the victim comply with the demands of the ransomware authors. At this time, we just need to safely store and hide the private key components to allow for future retrieval. To this end, we use the data sealing method to ensure that the private key can be written and stored encrypted on disk, without ever appearing as clear-text in the OS regular memory. 

One way we could do this is by generating the private key and then sealing it directly on disk, but we won’t proceed this way. Consider the function prototype from the Intel SGX SDK3 that generates the private key shown below.

sgx_status_t sgx_create_rsa_priv2_key( 
                        int mod_size, 
                        int exp_size, 
                        const unsigned char *p_rsa_key_e, 
                        const unsigned char *p_rsa_key_p, 
                        const unsigned char *p_rsa_key_q, 
                        const unsigned char *p_rsa_key_dmp1, 
                        const unsigned char *p_rsa_key_dmq1, 
                        const unsigned char *p_rsa_key_iqmp, 
                        void **new_pri_key2 

Note that the private key value is written onto a void** but under the hood, the actual structure used is an EVP_PKEY structure, a complex structure that originates from the OpenSSL library.

Figure 4. Extract of code defining the EVP_PKEY structure, from openssl library (Click to enlarge)

Therefore, if we wanted to seal the private key, we would need to use the EVP_PKEY structure. Nonetheless, enclave’s development architecture is not designed to readily import external libraries, so using the Open SSL library directly would be cumbersome. Otherwise, we could attempt to recreate the structure from scratch, but this would require several  parsing operations. Given the complexity of storing the private key in the appropriate structure, it is much easier to save the private key components and build the private key at a later stage. To support this process, we created a structure to collect the private key components.

Figure 5. Extract of code defining the PrivateKey structure (Click to enlarge)

We now have the means to seal the private key components for a potential future decryption. We’ll use the same values produced when we generated the key components, and assign them to the appropriate fields in our custom PrivKeyComp structure. Once the structure is correctly set up, we can seal the private key components with sgx_seal_data_ex(), from sgx_tservice.lib.4

Figure 6. Extract of code sealing the RSA private key components (Click to enlarge)

Here, we use sgx_seal_data_ex(), the extended version of sgx_seal_data(), which allows us to use the MRENCLAVE policy. We chose this policy because it guarantees that other enclaves signed by the same enclave’s authors won’t be able to access the sealed data. Should the attacker’s enclave signature be stolen, it could be used to unseal the data.

Once sealed, the private key components can be returned to the regular core of the application and written on disk.


From this point, we have two options for encrypting the victim’s data. The first option is to return the public key to the regular core of the application and to encrypt the victim’s files outside of the enclave. The other option is to keep the public key inside the enclave and use functions from the Intel SGX API to encrypt the victim’s data. The latter is more complex than a classic encryption process outside of the enclave, but we’ll use this method to demonstrate possibilities of SGX programming.

The untrusted part of the application is in charge of opening and reading the victim’s file. To get the encrypted data that will be generated within the enclave, we need to initialize the output buffer in the regular core of the application. Otherwise, the buffer generated within the protected memory won’t be able to be sent to the untrusted space.

The encryption is done with the function sgx_rsa_pub_encrypt_sha256(), which performs a RSA-OAEP encryption scheme with SHA-256. This computes an encryption and an encoding operation for buffers, which is limited to the size of the RSA modulus n, and results in a buffer of the same length. In this case, given a RSA modulus n of 256 bytes, the output buffer of sgx_rsa_pub_encrypt_sha256()will be 256 bytes long.5 As such, we allocate a buffer of 256 bytes for the output buffer that will hold the encrypted data. 

Next, we’ll send this output buffer with the buffer containing the data to encrypt.

Figure 7. Extract of code encrypting a file’s content, from the main (Click to enlarge)

The enclave receives the buffers and uses the public key that has been generated previously to perform the encryption. This is done in three steps. The first step is calling  sgx_rsa_pub_encrypt_sha256() to get the size of the resulting encrypted buffer. Once the size is returned, we check that it corresponds to 256 bytes (the size we allocated to the output buffer). If it matches, we perform a second call to sgx_rsa_pub_encrypt_sha256() to get the encrypted data in the output buffer.

Figure 8. Extract of code encrypting a file’s content, from the enclave (Click to enlarge)

Finally, the regular core of the application overrides the original file content with the encrypted content, returned from the enclave.

Unsealing and Decryption 

The same logic applies to the decryption process. The sealed data is sent to the enclave, which unseals it with sgx_unseal_data()and stores the private key components in the PrivKeyComp global variable. Encrypted data is sent to the enclave, builds the private key using the global variable PrivKeyComp as parameters for sgx_create_rsa_priv2_key(), and then decrypts the data with the function sgx_rsa_priv_decrypt_sha256(). The deciphered data is then returned to the regular core of the application, which overrides encrypted files with the original clear-text.

SGX’s Operational Limits 

As we’ve established, using enclaves has considerable benefits such as ensuring that targets of ransomware won’t be able to retrieve their deciphering keys. However, this tactic also has considerable limitations, which account for its limited prevalence in ransomware attacks. 

Hardware Requirements

First, enclaves have strict hardware specifications. Since SGX is a proprietary technology, it requires an Intel CPU. Although AMD has an equivalent technology called ARM TrustZone, code compiled based on Intel SGX libraries will not work on non-Intel CPUs. Furthermore, only certain Intel CPU models support SGX, as Intel has deprecated the feature for the 11th and 12th core processor desktop generations.6 As a final hardware requirement, the Intel SGX feature needs to be enabled from the BIOS, which is not done by default.

Given all of these requirements, the probability that a targeted system can execute a  binary using enclaves is very low. What’s more, as the SGX technology use might not be enabled on every infected system, the chances of successfully infecting a target are considerably low, especially in comparison to more common ransomware methods.

Signature Requirements

​​Earlier in this blog, we explained that enclaves need to complete a verification process to be compiled in release mode. Nonetheless, an enclave compiled in debug mode can still be executed on an Intel SGX-enabled machine if the required libraries are imported with the malicious binary. The size of the binaries required for the attack would be much bigger than that of a classic ransomware binary, but such a scenario is plausible.

Moreover, if attackers intend to use an enclave in release mode, they might go undetected by the Intel verification process if the enclave only appears to generate a pair of RSA keys, and receive buffers to encrypt and seal data. In such a situation, how would Intel determine whether the enclave serves malicious purposes?

Researchers from Graz University of Technology claim that “Intel does not inspect and sign individual enclaves but rather white-lists signature keys to be used at the discretion of enclave developers for signing arbitrary enclaves.”7 They cite the example of an independent student that has successfully completed Intel’s process to get a signing key. This raises the question of whether malware authors could use enclaves by going through Intel’s allowlisting process.  

Another possibility for ransomware authors would be to steal a legitimate signature. This adds another level of complexity to the attack, but it has been done in the past. In this case, as soon as the attack is detected and reported to Intel, Intel revokes the enclave signature used from the allowlist, preventing the malicious enclave from loading. Whether the signature is stolen or acquired legitimately, the risk of discovery quickly grows as soon as the ransomware campaign is underway, raising the issue of the signature’s validity lifetime.

To provide more flexibility in the use of enclaves, in 2018 Intel released the flexible launch control alternative.8 This feature allows third parties to control which enclaves can be loaded on appropriately configured machines, bypassing the Intel verification process. It requires the targeted machines to support and enable the flexible launch control feature, configured in each machine’s BIOS. This approach requires having access to the BIOS prior to the infection and having administrator’s rights to configure the environment, both of which add complexity to the attack.

Surely but Slowly

Within the enclave, code is executed in a specific context, which results in a slower execution than in a regular OS environment. The longer the ransomware takes to execute, the more likely the user will be alerted to suspicious activity and have time to react to it, further jeopardizing the chances of conducting a successful attack.

Vulnerabilities to Side Channel Attacks

Intel does not consider side channel attacks as part of the SGX threat model. The  Intel® Software Guard Extensions Developer Guide9 states, “Intel SGX does not provide explicit protection from side-channel attacks. It is the enclave developer’s responsibility to address side-channel attack concerns.”

This implies that there are ways to observe what is happening inside an enclave and thus potentially intercept the deciphering key, further underscoring that using enclaves is far from foolproof and has been successfully leaked in the past, which is discussed in the paper “SGAxe: How SGX Fails in Practice.”10

Safety of the Sealed Private Key

There are also limits to the safety of the sealed key written on disk. 

Intel’s Developer guide states, “Enclaves, regardless of the number of trusted threads defined, must not be designed with the assumption that the untrusted application will invoke the ISV interface functions following a specific order. Once the enclave is initialized, an attacker may invoke any ISV interface function, arrange the calls in any order and provide any input parameters. Keep these ploys in mind to prevent opening an enclave up to attacks.”11 

A recent question on Intel’s community forum posed whether different applications use the same enclave, to which Intel replied, “There is no built-in way to prevent one untrusted app from loading another’s enclave.”12 As such, should forensic investigators retrieve the enclave binary used in a ransomware attack and the sealed private key, they might be able to recreate an application that interacts with the enclave to make it unseal the private key, at the very least in debug mode. 

In practice, creating such an application requires importing the enclave .edl file, containing the ECALLs definition. Since it is unlikely that this file would be imported in the attack’s binaries, the only option would be to reconstitute the .edl file, which could be further complicated should attackers obfuscate the enclave binaries.

In a scenario where the private key has been sealed using the MRSIGNER policy, the safety of the sealed key is in even greater question. If forensic investigators are able to retrieve the enclave author’s signature, they could recreate an enclave similarly signed with Intel’s support and make this new enclave unseal the data. Indeed, since the data was sealed using the enclave author’s signature, another enclave with the same signature would be able to unseal it. 

While each of these limitations adds constraints to the attack, they can all still be  mitigated. Having the SGX feature enabled can be bypassed with a few pre-infection steps. To facilitate the use of enclaves, Intel released an activation app13 that allows users to enable Intel SGX on compatible Intel Core based processor-based platforms, simply by clicking on the “Activate” button, as shown in Figure 9. The application needs to be run with administrator privileges, but a social engineering approach could easily make a victim click on one button from a legitimate application.

Figure 9. Screenshot of the Intel® Software Guard Extensions Activation App (Click to enlarge)

Once the targeted system has the Intel SGX feature enabled, an attacker could bypass signature requirements by using an enclave binary compiled in debug mode to embed dependencies in the attack. To accelerate the execution of their code, they could use a multi-threading implementation or an externalized encryption process within the regular core of the application. Furthermore, if the enclave binary is completely removed from the infected system after the attack, the attacker can be confident that the sealed private key won’t be unsealed until they allow it. Finally, it is very unlikely that side-channel attacks would be set up prior to infection, making it highly improbable that these would successfully thwart a ransomware attack using enclaves. 


The Intel SGX technology offers developers a unique opportunity to protect their code. We reviewed how the architecture of enclaves provides an environment that is conducive to protecting sensitive data and embeds different mechanisms to safely manipulate it, such as with sealing. 

Although this can be beneficial in day-to-day operations, it can also be exploited for malicious purposes, as we saw with the case of cryptographic key management by ransomware authors. Enclaves allow ransomware authors to safely and securely generate cryptographic keys, preventing victims of attacks from leveraging two of the most common scenarios ransomware authors want to avoid: retrieving deciphering keys and preventing infection with offline targets.

The low prevalence of enclave use by ransomware is largely due to the technical limitations imposed by the Intel SGX. Its hardware requirements and deprecation for future CPU generations reduce the chances that targeted systems will be able to meet all of the conditions required for the enclave execution. Furthermore, releasing an enclave in production mode requires going through Intel’s signing process, which, if completed successfully, results in a signature that can be quickly revoked overnight, further reducing the ransomware’s chances of successful execution.

As we have demonstrated, ransomware authors can’t rely exclusively on enclaves to orchestrate attacks but may benefit from their use for cryptographic key management. As there are legitimate uses for enclaves, a preventative approach to these ransomware attacks should not exclusively rely on the detection of an enclave’s load. 

As part of our commitment to enabling customers to have continuous visibility across their organization, the CrowdStrike Falcon sensor has visibility on the use of enclaves and uses this data alongside event telemetry to determine whether a process is malicious and to respond to detected threats. In the end, an enclave is just a clue — nothing more, nothing less.

See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats like ransomware. Start your 15-day free trial today.

Additional Resources


  1. “Intel® Software Guard Extensions SDK for Windows* OS Developer reference,” revision 2.7, March 2020
  2. “Intel® Software Guard Extensions SDK for Windows* OS Developer reference,” revision 2.7, March 2020
  3. “Intel® Software Guard Extensions SDK for Windows* OS Developer reference,” revision 2.7, March 2020
  4. “Intel® Software Guard Extensions SDK for Windows* OS Developer reference,” revision 2.7, March 2020
  5. RSA Cryptography Specifications Version 2.2, November 2016, IEETF 
  6. 11th Generation Intel® Core™ Processor Desktop, Datasheet, Volume 1 of 2, Rev 004, May 2022
  7. Michael Schwarz, Samuel Weiser, Daniel Gruss, “Practical Enclave Malware with Intel SGX,” 2019
  8. Intel, 2018
  9. Intel® Software Guard Extensions (Intel® SGX) Developer Guide,revision 2.7, page 51, March 2020
  10. Stephan van Schaik, Andrew Kwong, Daniel Genkin, Yuval Yarom, SGAxe: How SGX Fails in Practice,” 2020
  11. Intel® Software Guard Extensions (Intel® SGX) Developer Guide, revision 2.7, page 51, March 2020
  12. Intel’s communities forum, 2017
  13. Intel Software Guard Extensions Activation App, Microsoft Store

CrowdStrike Advances to Research Partner with MITRE Engenuity Center for Threat-Informed Defense to Help Lead the Future of Cyber Defense

21 October 2022 at 20:30
  • CrowdStrike is deepening its commitment to advancing the security ecosystem leading the future of protection by becoming a top-tier partner in the MITRE Center for Threat-Informed Defense research program.
  • CrowdStrike’s adversary-centric approach and technology leadership can help change the game on adversaries, turning state-of-the-art threat defense into a state of practice.

CrowdStrike is now a Research Partner with the MITRE Engenuity Center for Threat-Informed Defense, joining a select list of cybersecurity companies and research foundations to take a hands-on approach to transforming state-of-the-art, threat-informed defense against sophisticated adversaries into a state of practice for organizations. Building on its previous role as Research Sponsor, CrowdStrike is reaffirming its commitment to fostering an open and collaborative security ecosystem. 

By investing in the Center’s collaborative R&D program and working with ecosystem partners to advance its research in the public interest, CrowdStrike is allied in a common cause to shape the future of threat-informed defense and help organizations improve the visibility and understanding of sophisticated adversaries and threats.

CrowdStrike Adversary-Focused Approach to Security Advances Threat-Informed Defense

Behind every attack is a human adversary with motivation and intent. Understanding the adversary, their tradecraft and techniques, and how they are most likely to target an organization, is critical to a threat-informed defense. CrowdStrike is a pioneer in threat actor profiling and attribution and uses this industry-leading threat intelligence to enrich the trillions of security events captured in the CrowdStrike Security Cloud.

The market-leading CrowdStrike Falcon® platform applies advanced machine learning (ML), artificial intelligence (AI) and deep analytics to this enriched telemetry to automatically prevent known attack methods and intrusions, while identifying new and unknown malicious activity and delivering proactive measures to stop the attack before it executes.

CrowdStrike has shared this expert knowledge in past Center research projects to guide and support the advancement of state-of-the-art, threat-informed defense in the public interest.

The industry-leading CrowdStrike Falcon platform sets the new standard in cybersecurity. Watch this demo to see the Falcon platform in action.

CrowdStrike has been a long-time and active collaborator with the Center. As a Research Sponsor in past projects, CrowdStrike offered expertise derived from securing cloud infrastructures to advance cloud analytics for identifying adversary behavior, leveraged experience to guide research on real-world insider threat techniques and provided understanding of real-world adversary techniques to contribute to the Center’s research that revealed the top ATT&CK techniques defender should prioritize.

See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats like wipers and ransomware. Start your 15-day free trial today.

CrowdStrike’s Work with the Center for Threat-Informed Defense Moving Forward

By elevating to Research Partner, CrowdStrike will continue to deepen this collaboration with the Center for Threat-Informed Defense, funding research and leveraging our adversary-focused expertise and our understanding of securing cloud infrastructures and stopping cloud breaches to help organizations advance their defenses against cyberattacks.

Additional Resources

CrowdStrike Falcon Platform Achieves 100% Ransomware Prevention with Zero False Positives, Wins AAA Enterprise Advanced Security Award from SE Labs

25 October 2022 at 07:31
  • The CrowdStrike Falcon® platform achieved 100% protection accuracy and 100% legitimacy accuracy with zero false positives, winning SE Labs’ first-ever endpoint detection and response (EDR) ransomware detection and protection test
  • The Falcon platform detected and blocked 100% of ransomware files during testing, which involved both direct attacks with 270 ransomware variations and deep attack tactics, with 10 sophisticated attacks mimicking observed tactics of cybercriminals
  • The industry-leading Falcon platform is the world’s most tested next-gen security platform and continues to dominate the endpoint security market

The CrowdStrike Falcon platform delivered 100% ransomware detection and protection with zero false positives in winning the AAA Enterprise Advanced Security (Ransomware) Award in the first-ever SE Labs EDR ransomware evaluation. 

SE Labs AAA Enterprise Advanced Security (Ransomware) Award

This new ransomware-focused testing by SE Labs — the leading independent computer security testing organization — validates that the Falcon platform stands alone in protecting organizations of all sizes from ransomware and sophisticated breaches by using a defense-in-depth approach, applying advanced artificial intelligence (AI) to the vast telemetry of the CrowdStrike Security Cloud to power detections and provide real-time mitigation. 

CrowdStrike remains committed to public testing transparency and tests more than any other next-gen security platform in the world. The Falcon platform was named the Best Endpoint Detection and Response product for a second consecutive year in SE Labs’ 2021 Annual Report, delivered 100% detection in SE Labs’ Q4 2021 Enterprise Advanced Security (EDR) test, achieved 100% prevention in the fourth round of the MITRE Engenuity ATT&CK Enterprise Evaluations and won a fifth consecutive Approved Mac Security award from AV-Comparatives in 2022 by demonstrating 100% malware prevention. Gartner, Forrester and IDC have all recognized CrowdStrike as a leader in modern endpoint security.

See how the Falcon platform protects against ransomware in this short video

In a report announcing the methodology and results of its extensive testing, SE Labs noted:

CrowdStrike Falcon performed exceptionally well, providing complete detection and protection coverage against all direct ransomware attacks. It also provided thorough insight into the full network breaches that concluded with ransomware deployments. There were no false positive results. An excellent result in an extremely challenging test.” 

The Falcon platform attained an AAA rating with test scores including 100% protection against ransomware and zero false positives. Here’s how SE Labs put the Falcon platform to the test and what the results mean for organizations that face the threat of ransomware every day.

Testing Falcon Platform Effectiveness Against Ransomware Attacks in Real-World Scenarios

Few cyberattacks strike fear in the hearts of organizations to the degree of ransomware. The prospect of data leaks, extortion, encrypted data, loss of business, negative headlines and the demand to pay ransom to even begin recovery is terrifying. Effective protection against ransomware is a critical part of stopping breaches and improving business resiliency. 

As organizations evaluate competing security solutions, third-party, independent testing that runs in configurations they can use, and that accounts for false positives, is an important part of the validation process. Organizations must be confident in their chosen security solution’s ability to stop sophisticated real-world ransomware attacks. Vendors that claim effectiveness but avoid testing should be viewed accordingly. 

The SE Labs test focused on realism, attacking systems using the same configurations, tools and methodologies observed in the wild, the most effective approach for delivering real-world results. Test networks represented what typical companies, government agencies, financial institutions and infrastructure services use — including systems configured as servers and workstations, and printers, email and web-based file-sharing services — and were repeatedly subjected to the two primary methods of ransomware attack: deep attack and direct attack.

  • Deep attack: Two testing teams simulated 10 sophisticated attacks from the ground up, mimicking the observed tactics of cybercriminals. They started with stolen credentials (or a similar method) to gain access to their target, then stealthily moved laterally through systems and the network. They made use of scripting tools such as PowerShell and Windows Command Shell, or User Account Control exploits to expand their access privileges while avoiding detection. After completely compromising the test network, testers deployed the ransomware payload. Ten different ransomware payloads were used in these test cases, comprising both known ransomware variants and modified versions.
  • Direct attack: Testers replicated scenarios such as an email social engineering attack (i.e., phishing) to send ransomware directly to target systems. SE Labs used a wide distribution of known ransomware including Conti, DarkSide, Dharma, Maze and Revi, in addition to modified variations.

Figure 1. SE Labs protection details for Falcon platform scoring throughout the ransomware direct attacks evaluation. Copyright: SE Labs

Testing the Falcon Platform Against Previously Unknown Ransomware 

A security solution’s ability to protect against previously unknown ransomware is an important part of both deep attack and direct attack testing. SE Labs employed known ransomware that has been used in the wild, then modified the files to make them look different but retain their behavior and functionality in absence of security software. 

Being able to detect and block known ransomware is obviously important. And if a security solution can also proactively detect unknown variants, it is far more effective than products that merely react to known threats. 

According to SE Labs:

“CrowdStrike Falcon performed exceptionally well at protecting against known and new variants of ransomware, as well as tracking network attacks that concluded with ransomware payloads.” 

Between known ransomware and the new variations created by SE Labs, 270 different ransomware samples were used in the testing. The ransomware samples were selected from nine prevalent ransomware families; 10 different ransomware payloads were selected from each family, resulting in 90 original ransomware files and 180 variations that were used by the SE Labs testers.

CrowdStrike: The Industry’s Technology Leader

This AAA rating in Enterprise Advanced Security (Ransomware) is recognition of the Falcon platform’s industry leadership in the automated detection and blocking of ransomware — in addition to its proven effectiveness against the full spectrum of cybersecurity threats.

The Falcon platform scored a perfect 100% protection accuracy rating, having detected and blocked every ransomware attack including the unknown variants. The Falcon platform also achieved a 100% accuracy rating in identifying legitimate applications and websites, and in deep attack testing detected all 10 attacks, exposing the ransomware in every case and offering thorough insight into testing threat chains.

Overall, the Falcon platform received a total accuracy rating of 99%, which indicates it is extremely effective in protecting from subtle attacks and accurately identifying non-malicious objects such as web addresses and applications. As testing was performed in real-world configurations, accuracy means the evaluation also tested for false positives — and the Falcon platform generated absolutely none. 

Because SE Labs’ testing reflected real-world configurations, CrowdStrike’s extremely high scores translate immediately to real-world use cases. High accuracy means no inconvenience for users attempting to use legitimate websites or apps; it means no downtime resulting from the investigation of false positives; it means security operations center (SOC) analysts can spend more time addressing real detections in particular and less time operating security solutions in general — all of which serve to lower organizations’ TCO and minimize security-related business interruptions.

In short, CrowdStrike Falcon platform solutions provide instant value to both organizations and the SOC analysts protecting them.  

The full SE Labs report, including details on how the Falcon platform was tested, is available here.

See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats like ransomware. Start a 15-day free trial today.

Additional Resources

Inside the MITRE ATT&CK Evaluation: How CrowdStrike’s Elite Managed Services Operate in the Real World

7 December 2022 at 22:27

Following CrowdStrike’s strong performance in the first-ever MITRE ATT&CK® Evaluations for Security Managed Services Providers with 99% detection coverage, we take a deep dive into the testing process and how our elite managed services operate in the real world.

We recently announced CrowdStrike achieved 99% detection coverage in the inaugural MITRE ATT&CK Evaluations for Security Managed Services Providers. These results speak to our industry-leading technology and elite team of human experts, which combined detected 75 of 76 adversary techniques tested.

Closed-book testing, in which no vendor has advance notice of the adversary, methodology or specific timing of the test, provides the closest reflection of how a security vendor can protect a customer against a real-world threat. The CrowdStrike Falcon® Complete and CrowdStrike® Falcon OverWatch™ managed threat hunting teams, leveraging the power of the CrowdStrike Falcon® platform, identified the adversary and associated tradecraft within minutes.

Human-led managed detection and response (MDR) and threat hunting deliver a level of protection autonomous tools alone cannot. While many MDR solutions tested in the MITRE ATT&CK evaluation are entirely automated, Falcon Complete rises above the MDR competition with its powerful combination of security technology and human expertise. Our MDR analysts, threat hunters and incident responders have decades of experience in triaging, investigating, and remediating threats. This, combined with CrowdStrike’s integrated threat intelligence and tooling, enables them to find and stop malicious activity at unrivaled speed and scale.

Falcon OverWatch — our proactive, 24/7 threat hunting service — is a core component of Falcon Complete and played an integral role in the MITRE ATT&CK Evaluations for Security Managed Services Providers. Falcon OverWatch threat hunters were involved throughout the evaluation and were essential to CrowdStrike identifying and reporting 75 of the 76 tested steps. 

Watch this short video to see how Falcon OverWatch proactively hunts for threats.

Inside MITRE ATT&CK Testing with Falcon Complete

We approached this MITRE evaluation with the same configuration and processes we use with every Falcon Complete customer. Onboarding begins with an orientation call during which a specialist reviews the typical Falcon Complete operating model, establishes roles and responsibilities, and determines acceptable tolerance levels to carry out various response and remediation actions on behalf of the customer. For the MITRE ATT&CK evaluation, onboarding took place before the start of the active testing period.

Falcon Complete works closely with the customer to deploy the single lightweight Falcon agent onto thousands of systems, servers and machines across the enterprise. Once the agent is fully deployed, CrowdStrike takes over, handling all ensuing system configuration and optimization, and providing 24/7 threat monitoring, investigation and response. In a sense, Falcon Complete acts as an embedded extension of the customer’s security team, continuously maximizing its investment through more effective and efficient security operations and outcomes.

When the active five-day testing period began, CrowdStrike was left in the dark (as was every vendor participant), unsure when MITRE Engenuity’s attack emulation would start. The first malicious event of the 2022 MITRE ATT&CK Evaluations for Security Managed Services Providers began as many attacks do: with initial access attempts. The emulated adversary first gained entry by deploying a spear-phishing email that contained a malicious link and well-crafted social engineering pretext based on the target user’s job title to successfully dupe the intended user into clicking and launching the payload. Within minutes, CrowdStrike identified and triaged the first malicious activity. We quickly decoded the attacker’s XOR cipher to intercept and read the C2 communications, and used intelligence to identify the emulated nation-state adversary — known as OilRig by MITRE, or HELIX KITTEN as tracked by CrowdStrike Intelligence.

To keep customers informed of updates like these during an investigation, Falcon Complete uses a built-in module called “Message Center” within the Falcon console to communicate in near-real time.

Figure 1. A screenshot of the Message Center inbox where customers receive updates from Falcon Complete (click to enlarge)

The team usually sends a brief message after its initial triage to share an early assessment of the incident, provide situational awareness and create a channel where they can continue collaboration with the customer. Over the course of an investigation, Falcon Complete will follow up to provide updates on findings, analytical details, recommended recovery actions, remediation activity and more. 

Falcon Complete typically takes remediation action on behalf of our customers. The team does not merely notify and advise, but goes several steps further to to contain adversaries and clean systems of residual artifacts related to an intrusion — all within a series of pre-approved countermeasures. These remediation actions include, but are not limited to: removing files and persistence mechanisms, network containing systems, forcing MFA or password resets (for CrowdStrike Falcon® Identity Threat Protection (ITP) customers). The rules of this year’s MITRE evaluation prohibited any remediation action, so in this case, the Falcon Complete team performed a purely descriptive role.

Figure 2. A message from the Falcon Complete team with communication regarding recovery and remediation actions (click to enlarge)

Detecting Adversary Techniques with Falcon OverWatch

Throughout the MITRE evaluation, CrowdStrike’s technology and human expertise were quick to detect the emulated adversary’s steps to mimic a legitimate attacker. On day three, for example, the adversary paused much of its activity using various persistence techniques in an attempt to stay hidden and lure defenders into a false sense of security. 

The simulated adversary also executed a variety of reconnaissance commands in the Discovery phase of their attack chain, similar to how a real-life adversary would operate. Detecting this activity is critical because it provides an early indication an intruder has compromised a system and is attempting to get “the lay of the land,” during which threat actors may learn potential targets for privilege escalation and lateral movement.

CrowdStrike’s ability to detect these discovery steps is crucial. Falcon Complete identified all of these steps during the emulated adversary’s Discovery phase by using insight provided by the Falcon OverWatch team, as well as the Falcon Sandbox and integrated CrowdStrike threat intelligence.

In the MITRE testing environment and in real-world intrusion scenarios, the Falcon OverWatch team works hand-in-hand with Falcon Complete. When there is an indication of an adversary in an environment, Falcon OverWatch quickly identifies what is abnormal, notifies the Falcon Complete team and sends a detection trigger to the Falcon UI. Once Falcon Complete knows of the activity, the team scopes and contains the intrusion, reducing dwell time for adversaries. With the incident identified and threat actor eradicated, they provide the customer with recommendations and remediation steps to ensure the adversary does not return. 

One factor not evaluated during this evaluation was CrowdStrike’s ability to detect threat activity in environments large and small. The MITRE testing environment only consisted of a few machines; however, our common enterprise environments have tens to hundreds of thousands of devices — and Falcon Complete can operate on all of them.

At the conclusion of the simulated intrusion, CrowdStrike provided a final report to MITRE, as the customer, describing the extent of the attack with meaningful context and analysis of all associated threat activity that took place. This report, which summarized the intrusion as part of the incident response, is typically a separate service provided by CrowdStrike Professional Services and was specifically developed for this evaluation. It included a consolidation of Message Center content along with our investigation’s key findings, a full investigative summary and timeline, recommendations and countermeasures, mappings to the MITRE ATT&CK framework, network diagrams, observed indicators of compromise (IOCs), tactics, techniques and procedures (TTPs), and more. 

Exploring the Full Power of Falcon Complete

It’s important to note this MITRE ATT&CK evaluation did not test prevention or remediation capabilities, which are standard components of Falcon Complete. If CrowdStrike Falcon® Prevent next-generation antivirus and Falcon ITP were enabled for this test, we would have been able to demonstrate the full power of Falcon Complete by preventing initial access and stopping the attack before it started. 

As important as it is to quickly detect threats, it is equally crucial to quickly begin remediation to stop adversaries in their tracks and prevent an intrusion from escalating. Another element missing from the MITRE ATT&CK evaluation was remediation. 

Most MDR offerings stop after they identify and investigate a threat, leaving the customer to determine and execute a response. Some go one step further and disrupt attacks by performing containment countermeasures. Falcon Complete takes this to the next level and performs surgical remediation of compromised endpoints

Falcon Complete works in close collaboration with Falcon OverWatch, takes their findings and immediately begins securing the victim environment. With Falcon Complete’s efficiency in remediation, it’s no exaggeration to say CrowdStrike would have run circles around the evaluation — widening the already substantial gap between our results and those of our competitors. 

The 2022 MITRE ATT&CK Evaluations for Security Managed Services Providers demonstrates how CrowdStrike’s powerful combination of security technology and human experts lead the industry — and it doesn’t even cover CrowdStrike’s whole MDR story. What these MITRE ATT&CK results don’t show is how CrowdStrike’s MDR customers see even greater value from other included capabilities that were turned off; for example, Falcon Identity Threat Protection and end-to-end remediation of every detected event. In an upcoming CrowdCast on Dec. 8, our experts will discuss how security decision-makers can use the MITRE findings to inform their technology decisions and drive better security outcomes.

The industry-leading CrowdStrike Falcon platform sets the new standard in cybersecurity. Watch this demo to see the Falcon platform in action.

Additional Resources

Integration Exploration: Getting Started with Falcon LogScale and Bucket Storage on AWS S3

9 December 2022 at 00:21

If you run CrowdStrike Falcon® LogScale, previously known as Humio, locally or on-premises, one of your first steps is to configure local storage so that LogScale has a persistent data store where it can send logs. If you’re running LogScale as a cluster setup, then you’ll have some data replication as a function of how LogScale manages the data. However, even with that replication, you’ll probably still want something outside of your local infrastructure for resiliency.

That’s where bucket storage on AWS S3 comes in.

LogScale can use AWS S3 as a backing store for ingested logs. It uses LogScale’s native file format to make an encrypted copy of the logs in an S3 bucket where it can still read and search — even if the local copies no longer exist!

We should note that using bucket storage instead of persistent disk storage for LogScale is not our typically recommended approach for production environments. The main use case for bucket storage would be working in a cloud environment with constraints on network traffic and bandwidth, such that you can’t afford to write to persistent disks. If persistent disks for your LogScale clusters are not an option, then bucket storage is an excellent alternative. You can read the documentation for more information on working in the cloud with bucket storage for LogScale but persistent disks for Kafka (which is a Kafka requirement).

In this guide, we’ll walk through how to set up bucket storage on AWS S3 so that you can understand the value of this approach and learn how to implement it.

Bucket storage on AWS S3 is only available if you’ve deployed LogScale yourself. Also, keep in mind that you will need a license to deploy LogScale on-premises. Licenses typically take two business days to activate. You can register for a free trial here.

Are you ready? Let’s jump in.

Deploying LogScale

If you want to deploy LogScale yourself, you have three primary options:

  1. The Single Node Setup is great if you’re looking to kick the tires on LogScale and see what it has to offer. With this approach, you have the flexibility of accessing LogScale on your laptop, a VM or a cloud instance without much effort.
  2. The Cluster Setup is a more advanced approach but still attainable if you’re comfortable installing packages or running containers. If you’re running in a VM-centric environment or a server rack, this is probably the method you’ll use, especially if you’re looking for a production-level deployment.
  3. The Container Deployment is exactly what it sounds like! LogScale gives you the option to install on Docker or Kubernetes. This is a good option for teams that have already adopted containers and/or orchestration platforms and understand the nuances that come along with that sort of architecture.

For our demo, we’ll use a local deployment of LogScale running on a local Kubernetes cluster. For an excellent step-by-step setup of the Kubernetes and LogScale setup, follow this guide.

Verifying our LogScale deployment

With our Kubernetes cluster and LogScale running, it’s time for a sanity check. We’ll go through a few commands to validate the pieces we need are running.

Check the core LogScale cluster pods

$ kubectl get pods -n logscale
NAME                           READY   STATUS    RESTARTS   AGE
logscale-cluster-core-dafuvj   2/2     Running   0          13m

Check the Kafka, Zookeeper and Entity Operator pods

$ kubectl get pods -n kafka
NAME                                              READY STATUS   RESTARTS  AGE
logscale-cluster-entity-operator-57fc6485c9-vh5vv 3/3   Running  0         70m
logscale-cluster-kafka-0                          1/1   Running  0         70m
logscale-cluster-zookeeper-0                      1/1   Running  0         71m
strimzi-cluster-operator-86864b86d5-7zz4s         1/1   Running  0         72m

If all of these are in a running state, you’re in good shape!

Check the LogScale interface

One more thing we’ll want to check is access to the LogScale interface. The easiest way to do this is to run a port forward.

$ kubectl -n logscale port-forward svc/logscale-cluster 8080
Forwarding from -> 8080
Forwarding from [::1]:8080 -> 8080

Then, we navigate to  http://localhost:8080 in our browser and log in (username: developer and password: password ). The username is standard, but the single-user password is defined as part of the environment variables for the humiocluster. You can change this if desired:

$ kubectl get humiocluster logscale-cluster -n logscale \
-o jsonpath="{.spec.environmentVariables[4]}" | jq .
  "value": "password"

Now that we’re confident our LogScale instance is up and running, let’s take a look at storage.

Currently, we have local storage collecting and retaining all of our logs. However, we want to configure AWS S3 Bucket Storage to retain a copy of our logs. This is helpful in case our cluster suddenly crashes or we don’t have enough nodes with replicated data.

Note: Don’t confuse bucket storage with S3 Archiving, which also makes a copy of the logs but not in a LogScale native format, which means they’ll no longer be searchable.

Configuring for AWS S3 Bucket Storage

Now, we’re ready to configure LogScale for bucket storage on AWS S3. Our first step is to ensure we have proper permissions at AWS.

Set up AWS permissions

Since we’re running locally, we’ll need to create an AWS IAM user with proper permissions to access our AWS S3 Bucket. We won’t cover every detail for creating the IAM user, but here are the basic steps:

  1. Log into your AWS account and navigate to IAM.
  2. Create a policy with S3 bucket read/write access.
  3. Create an IAM group and attach that policy.
  4. Create an IAM user and make that user a part of the group. (Alternatively, you can inline the policy for a single user, bypassing the use of an IAM group entirely.)

We’ve also created an S3 bucket (arbitrarily) named logscale-beachbucket that we can configure for use with LogScale. A sample policy for bucket access can be found in the LogScale docs. Our policy looks like this:

 "Version": "2012-10-17",
 "Statement": [
         "Effect": "Allow",
         "Action": [
         "Resource": [
         "Effect": "Allow",
         "Action": [
         "Resource": [

After creating the IAM user, we obtain an Access Key ID and a Secret Access Key. We’ll use these momentarily to authenticate our LogScale cluster for access to our S3 bucket.

Update humiocluster for AWS authentication

With the baseline set up, we’ll configure our LogScale cluster! First, we need to tell LogScale how to authenticate to our AWS S3 bucket. We do this with the following environment variables, which correspond to the Access Key ID and Secret Access Key we copied down when creating the IAM user:


We also need to tell LogScale where to put the data and how to encrypt it. We do that with the following environment variables:


In a virtual machine installation of LogScale or a similar local install, we would use INI files to configure these value. Since we’re running on Kubernetes, we need to make changes to the humiocluster custom resource. The easiest way to do this is by editing the custom resource.

First, we run the following command:

$ kubectl edit humiocluster logscale-cluster -n logscale

Then, we update the environment variables so that our custom resource definition looks like this – notice the values associated with S3):

kind: HumioCluster
  name: logscale-cluster
  namespace: logscale
  # <snip>
  # <snip>
    value: -Xss2m -Xms1g -Xmx2g -XX:MaxDirectMemorySize=1g
    value: logscale-cluster-zookeeper-client.kafka.svc.cluster.local:2181
    value: logscale-cluster-kafka-brokers.kafka.svc.cluster.local:9092
    value: single-user
    value: password
    value: <redacted>
    value: <redacted>
    value: logscale-beachbucket
    value: us-east-1
    value: <redacted>

Once you save your edits, new pods will get rolled out. Soon, you’ll begin to see objects added to the bucket. It will look similar to the following:

As the data ingest continues to happen, you’ll see LogScale create more objects in the bucket, and AWS will begin to record and show the amount of storage used.

We’re up and running! LogScale has been successfully configured for bucket storage with AWS S3.

Configuring for your specific environment

Perhaps you don’t want to use S3 buckets called logscale-beachbucket or mytestbucket in production. LogScale allows you to configure a fresh bucket. The documentation states the following:

Existing files already written to any previous bucket will not get written to the new bucket. LogScale will continue to delete files from the old buckets that match the file names that LogScale would put there.

Here are the steps you would take to configure LogScale to use a new S3 bucket:

  1. Create a new bucket in S3.
  2. Update the IAM policy to allow read/write to the new S3 bucket.
  3. Edit the humiocluster custom resource, updating S3_STORAGE_BUCKETand S3_STORAGE_REGION in spec.environmentVariables to point to the bucket you created.

Once you save the edits to the humiocluster custom resource, new pods will be rolled out, and you’ll begin to see data collected in the new bucket!


We’ve covered a lot in this guide, so let’s quickly recap what we’ve done:

  1. We set up our base installation of LogScale.
  2. We verified that everything was running by checking pod statuses and validating the LogScale interface in a browser.
  3. We went through AWS IAM steps so that we could obtain an Access Key ID and a Secret Access Key for read/write access to our newly created S3 bucket.
  4. We put it all together and configured LogScale to use our S3 bucket for storage.
  5. We verified that LogScale was creating new objects in our S3 bucket.
  6. We walked through how you could switch to a new bucket when you’re ready to move out of sandbox mode.

Congratulations on setting up AWS S3 bucket storage for LogScale! Nicely done! Some common next steps after getting set up with AWS S3 Bucket Storage include:

Happy logging!

5 Partner Predictions for 2023 from CrowdStrike’s Channel Chief

9 December 2022 at 15:15

As vice president of global alliances for CrowdStrike, I have the pleasure of meeting daily and weekly with our partners around the globe to ensure that CrowdStrike is addressing their needs and the needs of their customers with our products and services. As a benefit of talking with our partner ecosystem, I have gained a firsthand perspective into their world and what they face every day in the cybersecurity trenches as we keep our mutual customers safe. Based on my experiences, the following five predictions are some of the things I see on the horizon as we head into 2023.

1. As budget restraints tighten, partners will increasingly work with vendors that offer a unified security platform. 

Organizations will be forced to optimize security and IT costs as a result of the global macroeconomic shift. This will lead to increased customer demand for vendor consolidation, resulting in an increased shift to the adoption of platform vendors offering solutions under a single umbrella. Partners will fuel this vendor consolidation. 

2. The standardization of a shared data schema will accelerate among partners. 

Partners (of all types) will work closer than ever to accelerate data normalization to help organizations defend against adversaries. In 2022, we saw new technology partner alliances come together to achieve this outcome. In 2023, more partners will join these initiatives to make it even simpler and less burdensome for organizations to use and exchange security data in the global fight against cybercrime.

3. Consumption of security resources will change and partners will adapt. 

Customers are evolving the security procurement process and partners will evolve with them to meet their needs. Customers are shifting away from traditional purchase orders (via solution providers) toward buying and consuming services and products online through various marketplaces, including online software-as-a-service (SaaS) stores, public cloud marketplaces and even direct to vendors. As a result of this shift, partners will make their solutions available with flexible buying options in multiple locations.

4. Partnering with identity providers will be increasingly important. 

Identity will be the top threat vector in 2023 and identity providers will play a critical role in helping to protect user credentials. Threat actors know that they can take advantage of the growing remote workforce to steal credentials and infiltrate organizations. The ability to protect against these identity-based attacks will require an identity protection solution that integrates with identity providers, so that organizations can handle the complexities of storing and authenticating identities.

5. Managed security service providers and global system integrators will serve a critical role in addressing the ongoing global cybersecurity skills shortage. 

According to the (ISC)² 2022 Cybersecurity Workforce Study, there’s a global cybersecurity workforce gap of 3.4 million people. As a result, organizations will look to MSSPs and GSIs to fill this gap. The benefit for organizations leveraging MSSPs is that they provide 24/7 expert monitoring without the need for additional staffing. As for GSIs, they can help organizations manage the complexity inherent with cybersecurity and solve business challenges through implementation services. 

Additional Resources

Importing Docker Logs with CrowdStrike Falcon LogScale Collector

9 December 2022 at 19:52

Docker is the primary tool used for containerizing workloads. If your company wants to build containers with quality, then you’ll need access to your Docker container logs for debugging, validation and optimization.

While engineering teams can view container logs through straightforward CLI tools (think docker logs), these tools don’t provide a mechanism for storing or indexing logs over time. A central, remote location for gathering logs from Docker containers is necessary. Enter CrowdStrike Falcon® LogScale.

Falcon LogScale uses industry-standard protocols for Docker log ingestion. Although there are several log shipping options, we’ll focus on using the Falcon LogScale Collector.

Here’s what you’ll learn

In this how-to guide, we’ll demonstrate how to send logs from our Docker containers to Falcon LogScale. We’ll walk through the following steps:

  • Set up Docker and run an Nginx container as our demo container.
  • Set up a Falcon LogScale repository and create an ingest token.
  • Install and configure Falcon LogScale Collector.
  • Verify that our Docker logs are sent successfully to Falcon LogScale.

We’ll start simple and build in complexity as we go. Let’s dive in.

Setting Up Docker

We’ll create a simple Docker container based on the Nginx container image. With our container up and running, we’ll verify that we can see our Docker logs locally. Then, after we get Falcon LogScale Collector up and running, we’ll ship those logs to Falcon LogScale.

Installing Docker

For our example, we’re running on Ubuntu Jammy (22.04), so we’ll use Docker’s apt repository method to install Docker.

$ sudo apt-get install -y docker-ce docker-ce-cli docker-compose-plugin

For a quick sanity check, let’s run a sample “hello world” container to validate that we can pull images and run containers without issue:

$ sudo docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Digest: sha256:faa03e786c97f07ef34423fccceeec2398ec8a5759259f94d99078f264e9d7af
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.

Launching an Nginx container

Now, let’s verify that we can run an Nginx container locally.

Starting the container

Run the following command to start Nginx in detached mode (in the background) on port 8080

$ sudo docker run \
  --name helloworld \
  -p 8080:80 \

When we launch a web browser, we see the default Nginx landing page at localhost:8080.

Setting Up Falcon LogScale

To use Falcon LogScale, you will need an account. If you don’t have one, you can sign up for the Falcon LogScale Community Edition. You’ll get an email with your login information, and then you can log in with your identity provider of choice.

From there, you can view all of your Falcon LogScale repositories.

Creating a new Falcon LogScale repository

You’ll need to create a repository. Once created, you can get an ingest token for the repository. Click + Add New to create a repository.

Select Repository.

Note: Falcon LogScale Community Edition allows only one repository. If you already have an existing repository, you’ll need to remove it before you can add a new one.

Creating an ingest token

An ingest token is used to authenticate a service that wants to send log data to your repository. Navigate to the Ingest Tokens page of your repository settings. Click Add Token.

Provide a name and select how your logs should be parsed. For our example, we’ll use json, as that will match the default logging format for Docker containers.

After saving the token, view the token value and copy it down for safekeeping. We’ll use it in the Falcon LogScale Collector configuration later.

Setting Up the Falcon LogScale Collector

With Docker and our Falcon LogScale repository all set up, it’s time to connect our pieces with Falcon LogScale Collector.

Installing the Collector

Under the Ingest tokens section of our repository where you created the ingest token, you’ll see a convenient link that will take you directly to the download page for the Falcon LogScale Collector.

Click that link to head over to the download page. From there, you can choose the installer for your OS (in our case, Ubuntu).

Download and install the Collector:

$ sudo dpkg -i humio-log-collector_1.2.1_linux_amd64.deb
(Reading database ... 64390 files and directories currently installed.)
Preparing to unpack humio-log-collector_1.2.1_linux_amd64.deb ...
Unpacking humio-log-collector (1.2.1) over (1.2.1) ...
Setting up humio-log-collector (1.2.1) ...

Configuring the Collector

On Linux, the configuration for Falcon LogScale Collector can be found in /etc/humio-log-collector/config.yaml. That’s where the Falcon LogScale Collector will look for its configuration by default. We’ll modify the configuration file, telling the Falcon LogScale Collector to watch the Docker container directories and their respective logs.

dataDirectory: /var/lib/humio-log-collector
    type: file
    include: /var/lib/docker/containers/*/*.log
    sink: logscale
    type: humio

Granting permission to the Collector for reading Docker logs

With the configuration set, there’s one last thing you’ll need to do before starting the Falcon LogScale Collector service. Since Docker runs as root (per the standard installation method), the container logs are owned by the root user and are not world-readable. We need to make sure the Collector service has permission to read these container logs. To do this, edit the systemd service file (/usr/lib/systemd/system/humio-log-collector.service). Make note of the addition below Group=humio-log-collector

Description=Humio Log Collector

ExecStart=/usr/bin/humio-log-collector -cfg ${CONFIG_FILE}


From here, configure the service to start at system boot, and then perform an initial startup of the service. This will start shipping your Docker logs to your Falcon LogScale repository.

$ sudo systemctl daemon-reload
$ sudo systemctl enable humio-log-collector.service
$ sudo systemctl start humio-log-collector.service

Now, when we log into Falcon LogScale and run a search, we can see logs from our Nginx container!


In this how-to guide, we walked through how to configure the Falcon LogScale Collector to send our Docker container logs to Falcon LogScale.

Rather than creating complicated, additional tooling, engineering teams can use Falcon LogScale, which simplifies the process of log ingestion and aggregation. This allows logs from a wide range of systems to be easily shipped to Falcon LogScale.

Docker is no doubt a critical piece of the tech stack in many of today’s distributed applications. When instrumenting your systems to send logs to a centralized solution like Falcon LogScale, you’re now equipped to ensure that Docker logs are included in that set of essential data.

Our Customers Have Spoken: CrowdStrike Delivers the Best in EDR, EPP and XDR

13 December 2022 at 07:16

Time and again, analyst reports, independent tests and numerous other awards and acknowledgements affirm CrowdStrike is a leader in cybersecurity. Why is this important?  Because when CrowdStrike is #1, it’s our customers who win.

But to us, the best validation of the power of the CrowdStrike Falcon® platform comes from our customers themselves. We are proud to have earned the trust of so many organizations — over 20,000 customers and counting — around the world.

Our customers consistently tell us they choose CrowdStrike because our products simply work. And they often tell their peers as well. So much so, in fact, that three leading customer review sites recently recognized CrowdStrike with top rankings spanning the cybersecurity market. We’re humbled that so many of our customers have enthusiastically shared their success stories of using the Falcon platform with the industry. 

Collectively, our customers’ voices verify CrowdStrike’s ability to provide the platform, expertise and intelligence they need to keep their organizations moving forward. 

Leading Customer Review Sites Validate CrowdStrike As #1 Across Multiple Market Categories  

Based on verified customer reviews, three leading customer review sites — G2, PeerSpot and TrustRadius — recently recognized CrowdStrike as having the top offerings in numerous cybersecurity market categories, including endpoint detection and response (EDR), endpoint protection platform (EPP) and extended detection and response (XDR). 

First, let’s cover CrowdStrike’s market-spanning rankings:

G2: CrowdStrike finished #1 in the Winter 2022 Report for EDR in the Enterprise, Mid-Market and Overall categories, and #1 in the Winter 2022 Report for XDR in the Enterprise and Overall categories. CrowdStrike was the only Leader listed in the Enterprise category for EDR. CrowdStrike also finished #1 in the Winter 2022 Report for Threat Intelligence in the Enterprise and Overall categories, and #1 in the Winter 2022 Report for Antivirus in the Enterprise category. 

CrowdStrike finished #1 and was the only Leader listed in G2’s Winter 2022 Enterprise Grid® for Endpoint Detection & Response (EDR) Software. Vendors are positioned according to satisfaction (horizontal axis) and market presence (vertical axis).

PeerSpot: CrowdStrike earned a 2022 PeerSpot Gold PeerAward in EDR, EPP and Anti-Malware Tools, and also received No. 1 Ranked badges in EDR, EPP, Managed Detection and Response (MDR) and Threat Intelligence Platforms. 

TrustRadius: CrowdStrike won 2022 Top Rated awards for Endpoint Security, Extended Detection and Response (XDR), Antivirus, Cloud Computing Security, Incident Response, Intrusion Detection, MDR, Threat Intelligence and Vulnerability Management.

When we win, our customers win. That’s why we are so excited to hear these real-world anecdotes from our customers on the value they are receiving from the Falcon platform. Here are just a few of their stories:

  • “We were using Windows Defender before Falcon. […] With Falcon installed, I know that we’ll find out if our users get attacked or compromised so that we can deal with it right away,” said a director of IT at a mid-market company (via G2). 
  • “[The CrowdStrike] Falcon ecosystem is very vast and with a SINGLE and lightweight agent it can provide many different security related protection capabilities. The console is very easy to understand, [and] it’s cloud native so it also saves money with regards [to] infrastructure and maintenance,” said a verified enterprise user in hospital and health care (via G2).
  • “The features for CrowdStrike Falcon far outweigh the competition. From the cloud infrastructure, implementation, deployment, and even the support staff, [CrowdStrike] Falcon is beyond anything that we have used,” said a technical support specialist at Northwestern University (via TrustRadius).

Read the press release.

Learn how the powerful CrowdStrike Falcon platform provides comprehensive protection across your organization, workers and data, wherever they are located.

Our Customers Tell Us Why They Chose and Use CrowdStrike to Help Their Peers Do the Same 

Fal.Con, CrowdStrike’s annual premier cybersecurity event, is where industry professionals discover how to strengthen their security posture and protect their organizations in today’s rapidly evolving threat landscape. It is also an opportunity for us to visit face-to-face with our customers, whose feedback not only helps guide CrowdStrike product development but also validates our cloud-native, single lightweight agent approach to cybersecurity. 

At Fal.Con 2022, a number of our customers sat with our camera crew to help create the following video, in which they share their CrowdStrike success stories to assist their industry peers as they navigate their own decision-making journeys.

At CrowdStrike, we know that market leadership is more than just having the best technology. It includes delivering the best outcomes for our customers by extending our industry-leading Falcon platform protection across their greatest areas of risk. Though we will never stop fighting every day to be and stay #1, as the customer-sourced awards and feedback above attest, our customers are glad to be along with us for the journey.  

The industry-leading CrowdStrike Falcon platform sets the new standard in cybersecurity. Watch this demo to see the Falcon platform in action.  

Additional Resources

CrowdStrike Services Helps Organizations Prioritize Patching Vulnerabilities with CrowdStrike Falcon Spotlight

13 December 2022 at 22:29

When the CrowdStrike Services team conducts a proactive security engagement, such as a Cybersecurity Maturity Assessment or Tabletop Exercise, it often uses CrowdStrike Falcon® Spotlight to identify what vulnerabilities exist in the environment. Unfortunately, this can be a disheartening experience, as many organizations we see have millions, even tens of millions, of unpatched vulnerabilities. It’s typical to see at least a quarter of those listed with a CVSS rating of Critical. 

It’s a grim testament to just how difficult it can be to run an effective vulnerability management program. The challenges that most customers face will probably sound familiar: 

  • The number of vulnerabilities far outnumber what the security or IT teams could ever hope to fix. 
  • Prioritizing only vulnerabilities rated Critical and High allows lower-rated vulnerabilities to linger and weaken your security posture. 
  • Asset criticality is often absent from prioritization efforts altogether. 
  • Patching systems can be mundane and seemingly unrewarding work for the seasoned IT/security professional. 

This blog highlights the importance of effectively prioritizing vulnerabilities and shows how Falcon Spotlight can be used to do so effectively and with minimal effort.

The Basics of Vulnerability Management

There is no silver bullet for vulnerability management. Some of the security teams CrowdStrike Services works with have all of the building blocks in place but are not authorized to force system changes. Others recognize their knowledge gaps, but aren’t empowered to build a strong foundation by maturing their asset management practices.  

Regardless of whether these kinds of obstacles exist, focusing on the fundamentals provides an important foundation. Automation and “single-pane-of-glass” tools are a key to success when the tasks are repeatable and the volume of work is large. As with many things in cybersecurity, these capabilities help decrease manual process fatigue and lead to increased efficiency of security programs. Vulnerability management is no exception — automation can help drive best practices in patch management across the board. Consistently applying updates for operating systems and key applications can dramatically reduce the total number of vulnerabilities, improve the organization’s security posture and make it easier to prioritize your remediation efforts. 

For organizations that have mastered the basics, the next challenge is identifying and focusing on the issues that are most likely to cause problems or be exploited by an adversary. Of course, this is ever-changing.

This is an area where Falcon Spotlight can help. The CrowdStrike Services team, and many of CrowdStrike’s customers, use the Falcon Spotlight ExPRT.AI feature to focus their efforts. ExPRT.AI is an artificial intelligence model that offers a rating system utilizing telemetry and threat intelligence to provide a more accurate assessment of a vulnerability’s criticality, and it updates that assessment over time. For example, if threat intelligence shows that a vulnerability is being actively exploited, ExPRT.AI will adapt by increasing the criticality rating for that vulnerability. In addition to providing more accurate results, CrowdStrike Services has observed that ExPRT.AI generally produces a smaller combined number of vulnerabilities rated Critical and High — often less than 20% of the total according to the CVSS rating — thus reducing the amount of work required to make meaningful improvements to the organization’s overall security posture.

Watch this short video to see how Falcon Spotlight ExPRT.AI works.

How to Prioritize Assets

Filtering by CVSS or ExPRT.AI rating is only the first step in prioritizing vulnerability patching within Falcon Spotlight. The successful vulnerability management programs that CrowdStrike Services comes across also prioritize according to asset type, function and other criteria. The most successful programs are also aligned with the business’s goals and risk-prioritization. Because systems are not targeted equally — real-world threat actors and CrowdStrike red teams typically leverage only a few exploits against a small number of endpoints — this degree of prioritization allows security teams to markedly improve security by remediating a limited number of vulnerabilities for a limited number of assets. Improving the security of the assets most likely to be targeted can make a successful attack much more difficult.

Vulnerabilities on externally facing systems should always be a top priority, as these are easily accessible to any external attacker and therefore more likely to be targeted. Tier 0 resources such as domain controllers, AD certificate servers and SSO-related systems should also be considered high-priority assets. Though unlikely to be targeted from the outside since most are only accessible from an internal network, the security of these systems is critical to the security of the rest of the environment, and an adversary who gains access to the internal network will quickly seek them out. Unfortunately, it’s not uncommon for CrowdStrike Services to identify domain controllers on a customer’s network with vulnerabilities that are known to be actively exploited.

Other systems that often belong high on the priority list include Exchange servers, database servers and systems used for IT management functions such as software deployment, as these systems may contain sensitive information and are often associated with privileged accounts. It’s fairly common, for example, to see a SQL service account running as a domain administrator (an example of excessive privileges that should be fixed), and the CrowdStrike Services team has seen ransomware groups use an organization’s own software deployment tools against them.

Notably, a security or IT team can address all of the above priorities without seeking input from the rest of the business, because they are high-value targets from an attacker’s perspective. But the most successful vulnerability management programs also prioritize high-value assets from a business perspective. It starts with identifying critical business assets, such as systems that must remain up for the business to function or that host mission-critical data. If the organization has performed a “crown jewels” assessment, its results should be used to prioritize systems that hold important confidential data or play a pivotal role in the organization’s business processes. 

Unfortunately, many organizations have not identified their most critical assets from the business perspective. These organizations may have a security team that is siloed or does not collaborate with the rest of the organization, or from one side or both there’s a lack of communication and engagement. The security team ends up making a best effort to “go do security” without an accurate idea of what matters most to the business. For these organizations, it’s worth noting that even without undergoing a formal analysis, informal attempts to identify business-critical systems or systems containing PII, PHI, etc., can still provide a helpful guide to determining which vulnerabilities to prioritize. (Note that such analysis yields benefits beyond vulnerability management in that it can add value to shaping disaster recovery plans, scoping the severity of incidents and informing broader risk management efforts.)

Divide and Conquer Through Focused Prioritization

CrowdStrike Services recommends that customers use Falcon Spotlight to help with prioritization by filtering vulnerability results on such criteria as hostname, system type (workstation, server or domain controller), IP range, vendor, product name and/or by the group tag applied to the asset. Tags can be applied to systems either at installation, via a command-line option or through Host Management in the Falcon console.

Figure 1. Filtering for Critical and High vulnerabilities on a specific group of servers (click to enlarge)

As a complement to filtering by asset, customers can also filter for vulnerabilities that are known to be exploited. Spotlight can filter on Exploit Status, which can be “Actively Used,” “Easily Accessible,” “Available” or “Unproven.” Because threat actors often rely on a small number of exploits to gain initial access, escalate privileges or move laterally, filtering in this manner helps create a manageable list of vulnerabilities, allowing organizations to significantly improve their security posture with a relatively small amount of effort. 

During customer engagements, CrowdStrike Services gets even more focused, searching for specific vulnerabilities the team knows to be actively targeted by various threat actors. Some of our more mature customers take a similar approach and prioritize vulnerabilities that have been mentioned in their threat intelligence feeds, ISAC reports and other sources. This type of targeted remediation can be carried out by any organization. CISA maintains a public catalog of vulnerabilities known to be exploited and periodically publishes a list of the most exploited vulnerabilities. With Falcon Spotlight, customers can create a search for these high-profile vulnerabilities based on their CVE IDs and bookmark the search so they can revisit the results later for an updated look at their environment. 

Figure 2. Filtering for specific vulnerabilities known to be actively leveraged by threat actors (click to enlarge)

During a Technical Risk Assessment with Falcon Spotlight in a large customer environment, CrowdStrike Services observed millions of critical vulnerabilities across tens of thousands of endpoints. By limiting the results to servers and domain controllers that contained any of approximately 20 widely exploited vulnerabilities, the CrowdStrike Services team was able to produce a much more manageable list of approximately 2,000 vulnerabilities across 700 hosts. Additionally, Falcon Spotlight was able to produce a list of the 44 unique remediations needed to fix these vulnerabilities. The prospect of trying to fix millions of vulnerabilities may seem overwhelming, even for the largest organizations, but 44 remediations is actionable for an organization of any size. Additionally, because these were vulnerabilities that various threat actors were known to leverage in their attacks, fixing them would meaningfully improve the client’s security posture.

Larger organizations may have IT teams assigned to different locations, system types or business applications. By using Falcon Spotlight to filter on hostname, host type, IP range, group tag and/or product name, these customers can produce and export a list of vulnerabilities, hosts and remediations tailored to each team or group in the organization. This will make their results more actionable and can enable them to move remediation efforts forward in multiple areas independently. This is also useful if the security team is lacking in organizational buy-in and wants to work with one team as a test case before pushing forward with their vulnerability management program enterprise-wide.

Falcon Spotlight also provides useful insight into the state of patch management in an organization’s IT environment. Falcon Spotlight’s Installed Patches page shows when systems were last patched, whether they need to be rebooted and how many patches are pending. Searching for systems that haven’t been patched in more than 30 or 60 days can identify gaps in the organization’s IT processes, while searching for systems that have been patched in the last week can identify whether work has been done toward outstanding remediations. This facilitates better communication between IT and security teams, makes it easier to determine whether remediation work has been started and helps identify when remediation is not complete. A reboot could prevent an incident response engagement. 

Tailor Prioritization for Your Organization

There are many ways to prioritize vulnerability assessment and remediation efforts, and one organization’s approach doesn’t have to match another’s. Most organizations that CrowdStrike Services has seen succeed started by working with their data and experimenting with different filtering criteria to develop an understanding of what is in their environment. The suggestions in this blog are techniques we have seen organizations use successfully, but they are merely a starting point. Organizations should use other criteria, or split up or combine results in ways that make sense for them. It’s often best to start small and grow as the organization and its IT teams get comfortable with the process. Once the organization has a set of results that they think are actionable and important, they should start working on remediation. Most organizations will change their approach over time so they shouldn’t let analysis paralysis keep them from moving forward.

See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats. Start your 15-day free trial today.

Additional Resources

Attackers Set Sights on Active Directory: Understanding Your Identity Exposure

14 December 2022 at 13:58

Eighty percent of modern attacks are identity-driven. Why would an attacker hack into a system when they can simply use stolen credentials to masquerade as an approved user and log in to the target organization? 

Once inside, attackers increasingly target Microsoft Active Directory because it holds the proverbial keys to the kingdom, providing broad access to the systems, applications, resources and data that adversaries exploit in their attacks. When an attacker controls the keys, they can control the organization. 

The impact and escalation of an Active Directory attack is a big reason why it’s frequently targeted. Fifty percent of organizations have experienced an Active Directory attack in the last two years, with 40% of those attacks successful because the adversary was able to exploit poor Active Directory hygiene

The problem for security teams and CISOs is they often lack visibility into the risk presented by Active Directory and identity threats. With thousands of identities and configurations to manage, understanding the level of risk and enforcing Active Directory hygiene can be difficult — but the ability to detect and stop identity-based attacks is critical to stopping breaches. Understanding the risk that your Active Directory creates is the best place to start. 

Get a free, 1-hour Active Directory Risk Review today

Good Active Directory hygiene starts with gaining visibility into the risk, attack paths and threats your organization faces. 

CrowdStrike is offering a complimentary Active Directory Risk Review to help security teams achieve visibility, understand risk and gain insights into the proactive steps that stop identity-based attacks before they happen. 

CISOs and security teams can immediately gain critical insights into the organizational risk created by Active Directory. To understand the depth of visibility CrowdStrike delivers, here’s a quick look at the risk uncovered across three anonymous assessment participants:

A Financial Services Organization

  • Uncovered several hundred stale service accounts that had not been disabled for years. 
  • Identified that some accounts were both privileged and had compromised passwords — an easy target for “silent abuse.”

A Consumer Technology Firm

  • Identified 13 partner firm accounts that were accidentally over-permissioned. This opened up the organization to supply chain attacks.
  • The company discovered that the accounts had unintended domain admin rights left open for the past 19 months.

An Insurance Company 

  • Discovered more than 20 accounts with SPNs and compromised passwords — low-hanging fruit for Kerberoasting. 

“The AD Risk Review was an eye-opener. It was incredibly helpful to have automated insights pointing us to our largest risks.” — an Active Directory Risk Review participant

Gaining instant visibility into Active Directory hygiene is a critical step in overcoming the architectural limitations that put organizations at risk. As many participants note, the risks that are uncovered during the process are incredibly common to any user of Active Directory. The insights highlight the challenge administrators of these environments face and the challenge of properly securing Active Directory.

Join our CrowdCast to learn more about AD security and identity protection

The Crisis of Trust: Architecture Limitations of Active Directory Create Risk

The exploitation of Active Directory is an industry-wide problem that has been known and growing for years. 

Released with Windows 2000, Microsoft Active Directory has become the de facto definition of “legacy technology.” Despite being outdated and architecturally limited, Active Directory still serves as the identity infrastructure for a majority of modern organizations. According to a report, 90% of Fortune 1000 companies still use Active Directory. The prevalence of use and architectural limitations is why it’s a priority target for attackers. It’s also creating a crisis of trust within the industry. 

A security compromise of Active Directory can undermine an entire identity infrastructure. Attackers can elevate privileges, move into different systems and applications, and launch even more devastating attacks like data exfiltration, system takeovers, ransomware, productivity disruption, supply chain attacks and more. 

This was most infamously seen in Golden SAML supply chain attacks of December 2020. In testimony on CyberSecurity and Supply Chain Threats before the Senate Select Committee on Intelligence, CrowdStrike CEO and Co-founder George Kurtz highlighted that one of the most sophisticated aspects of the StellarParticle campaign was how skillfully the threat actor took advantage of architectural limitations in Microsoft’s Active Directory Federation Service credentialing and authentication process…”

In the same testimony, Kurtz highlighted a potential solution, stating, The only silver lining to the Golden Ticket/Golden SAML problem is that, should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world’s most widely used authentication platforms. 

Unfortunately for many customers, the legacy and architecture decisions of yesterday still create risk today. Waiting for these architectural limitations to be fixed isn’t a security strategy — but understanding and mitigating the risk Active Directory creates is the basis for a strong security posture.

CrowdStrike’s Active Directory Risk Review is free for both customers and non-customers. The simple, two-step process will deliver an automated discovery of your greatest areas of identity risk to uncover insights like adversary attack paths, compromised credentials, excess privileges and much more. 

In the latest episode of Under the Wing, see how the CrowdStrike Falcon® platform delivers unified Identity Threat Protection to stop the latest identity threats.

Additional Resources

Why Managed Threat Hunting Should Top Every CISO’s Holiday Wish List

14 December 2022 at 17:43

With the end of the year fast approaching, many of us are looking forward to a well-deserved break. However, security practitioners and security leaders worldwide are bracing themselves for what has become a peak period for novel and disruptive threats. 

In 2020, the holiday season was marked by the SUNBURST incident, and in 2021 the world grappled with Log4Shell. While we don’t know what this holiday season has in store, it has never been more important for organizations to take a proactive approach to security protections. 

What the aforementioned threats have in common is the ability to evade automated detection capabilities. This holiday season, the price of peace of mind is an investment in the capability to quickly and accurately detect novel threats that attempt to circumvent technology-based defenses. 

Searching for unknown threats is a highly specialized field that requires expert practitioners, finely tuned tooling and both continuous and granular visibility into the events occurring across an environment. In combination, these elements enable threat hunters to derive patterns of known adversary behavior from otherwise unique and novel circumstances. Whether threat hunting happens in house, is outsourced or is performed via a hybrid model, when done well, it provides a crucial safeguard against constantly evolving adversary tradecraft. 

This blog examines the value an organization can derive from effective threat hunting operations. Using customer-reported impacts, it also looks at some of the expected and unexpected value a managed threat hunting service can deliver. CrowdStrike has collaborated with customers to validate the business value realized from outsourcing their threat hunting to the 24/7 CrowdStrike® Falcon OverWatch™ managed threat hunting service. These figures are based on their real-world experience with the service. 

This holiday season, every organization needs to ask themselves:

  • Does my threat hunting capability deliver peace of mind in the face of constantly evolving threats?
  • How do we know if we’re receiving necessary protection and value from our threat hunting? 

Assess the Value of Your Organization’s Threat Hunting

Is your threat hunting team adequately resourced to provide comprehensive coverage?

Effective threat hunting isn’t dark magic — it is an activity that requires 24/7 coverage and culminates from dedicating time, resources and expertise to baselining, investigating and building hypotheses. It requires around-the-clock vigilance because adversaries routinely operate outside of core business hours and can move quickly once they gain access.

Organizations need to maintain sufficient staffing to ensure continuous coverage to stay ahead of the accelerating tempo of today’s adversarial activity. On average, enterprise customers found that deploying the Falcon OverWatch service in their environment augmented their security teams by offsetting five full-time equivalent (FTE) threat hunters, or roughly $735,000 USD a year. Over three years, this equates to $2.2 million USD in offset FTE hours from partnering with in-house security teams to provide continuous threat hunting coverage and enabling them to focus on high-priority issues. For organizations with a complex patchwork of technology assets, systems and software solutions, more threat hunters may be required to build out particular specializations and provide comprehensive coverage. Customers reported that Falcon OverWatch managed hunting offset as many as 14 FTE threat hunters. 

Customers recognize the value of the Falcon OverWatch team’s around-the-clock coverage. Shannon Lawson, Chief Information Security Officer for the City of Phoenix, explained, “CrowdStrike is there for us 24/7 and gives more flexibility for my team to take time off as the company really has our back.”

Partnering with a managed threat hunting service also addresses the challenge of recruiting and maintaining a suitably skilled and experienced workforce in an industry facing significant staffing shortages that can put organizations at increased risk of cyberattack. Falcon OverWatch managed threat hunting provides immediate access to the skills organizations need to secure their environments with flexibility to scale, and also immediate value with comprehensive visibility upon rollout — in fact, Falcon OverWatch often detects pre-existing intrusions during deployment to a new customer environment.

Watch this short video to see how Falcon OverWatch proactively hunts for threats in your environment. 

Is your threat hunting team efficient and effective?

True threat hunting must be human-driven, because human ingenuity is needed to accurately discern the patterns of malicious hands-on intrusions from otherwise legitimate user activity. However, for a human-driven solution to be able to scale effectively, it needs to work synergistically with technology and process so threat hunters can focus their attention on the data that matters — and ignore the data that doesn’t.

Over years of service, Falcon OverWatch has built a library of unique behavioral indicators, each curated and continuously fine-tuned to surface the faintest signals of potentially malicious activity. These behavioral indicators, called hunting leads, have no fidelity on their own. However, when viewed through the lens of Falcon OverWatch’s proprietary tooling and contextualized by expert threat hunters, they enable the visualization of “bursts” of activity indicative of potentially malicious activity. 

Every year, Falcon OverWatch sees approximately 2.8 million hunting leads in the average customer environment. Only a small proportion of these will be found to be linked to malicious activity, but all of them must be assessed, contextualized and prioritized to ensure even the faintest signal of malicious activity isn’t missed. To conduct these reviews quickly and at scale, Falcon OverWatch leverages a suite of proprietary tooling, including seven patented tools, to distill this vast sea of data and return just a fraction of that data — classified, grouped and graphically represented for hunters to sift through. 

By contrast, an in-house threat hunting function would need to sift through thousands, if not millions, of hunting leads before being able to investigate or analyze any potentially malicious activity. What’s more, customers reported that investigating potentially malicious findings takes an average of 45 minutes. 

The speed and efficiency of Falcon OverWatch’s finely tuned technology ensures human-led investigations begin rapidly and can provide near real-time insight into the threats in a customer’s environment. This is crucial in hands-on intrusions, where minutes matter. Falcon OverWatch saves significant time in both analysis of leads and investigation of potential threats, affording customers more time to remediate identified threats before an adversary can embed too deeply or carry out their intrusion objectives. 

Falcon OverWatch technology also helps free up threat hunters to undertake proactive and experimental approaches to uncovering novel adversary activity, building knowledge of the latest adversary tradecraft, and contributing to hundreds of new behavioral-based preventions for the CrowdStrike Falcon® platform every year. 

Just as too much data can challenge in-house threat hunting, so too can too little data. A large dataset provides a real-time global baseline of expected activity and unparalleled visibility of anomalous activity. Being part of an expansive ecosystem, Falcon OverWatch customers benefit from community immunity. Threat hunting findings at one organization are immediately fed back into hunting workflows and used to fine-tune detections. This scale of visibility and insight is impossible to replicate at the organizational level.

Does your threat hunting team position your organization as having strong cybersecurity?

Consumers and businesses are increasingly sensitive to the risk they accept every time they interact with a new organization. Effective cybersecurity is now part of the equation when assessing the suitability of an organization as a vendor or partner.

A 2021 survey of global IT leaders found that 84% of those surveyed believed that software supply chain attacks have the potential to become one of the biggest cyber threats to organizations like theirs within the next three years. Meanwhile, the Thales 2022 Consumer Digital Trust Index survey found that 1 in 5 consumers stopped using a company after it suffered a data breach.

Having a strong security posture, including effective threat hunting against novel threats, is crucial to building goodwill with discerning consumers and partners. Working with an independently recognized leader in threat hunting helps show that your organization prioritizes the security of your data and the data of your customers and constituents. 

Stefano Libriani, CIO at Europe Energy, has seen firsthand the value of partnering with a recognized security leader: 

“One of the biggest advantages of the partnership has been using the CrowdStrike brand to reinforce ours. We can now demonstrate to our customers and other stakeholders that by deploying CrowdStrike — one of the best and well-known security solutions on the market — we are protecting them and their data even more effectively and robustly than ever before.”

To maintain this credibility and reputation, CrowdStrike routinely submits its products and services to independent evaluations. CrowdStrike recently achieved the highest detection coverage in the first-ever closed-book MITRE ATT&CK® Evaluations for Security Service Providers. The Falcon platform’s integration of industry-leading technology and human expertise enabled us to deliver complete coverage, detecting 75 of 76 adversary techniques.

Why Your Organization Should Prioritize Threat Hunting

The only certainty in cybersecurity is that new threats are always imminent. Organizations can no longer be excused for being caught off guard from failing to proactively address the risk of novel or sophisticated attacks.

Partnering with a reputable managed threat hunting service will drive more value from your security investments, immediately allowing your organization to:

  • Benefit from a highly skilled and instantly deployable workforce. 
  • Remove the overhead of recruiting and training new staff in a tight labor market. 
  • Gain herd immunity derived from being part of a global security ecosystem to sooner protect your organization from novel threats. 
  • Protect its reputation and ensure it remains trusted by customers and partners alike.

If you have any hesitation about investing in threat hunting, consider this: A failure to detect a threat might come at an even higher price. 

Additional Resources

December 2022 Patch Tuesday: 10 Critical CVEs, One Zero-Day, One Under Active Attack

14 December 2022 at 19:37

Microsoft has released 49 security patches for its December 2022 Patch Tuesday rollout. Of these, 10 vulnerabilities are rated Critical, two are rated Medium and the rest are rated Important. DirectX Graphics Kernel Elevation of Privilege Vulnerability (CVE-2022-44710) is listed as publicly known while Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2022-44698) is listed as actively exploited at the time of release.

CVE-2022-44698 has a 5.4 CVSS. For this bug, a file could be created to circumvent the Mark of the Web detection and therefore bypass security features such as Protected View in Microsoft Office. Considering how many phishing attacks rely on end users working with attachments, these protections are essential to preventing malware and other attacks. 

December 2022 Risk Analysis

This month’s leading risk type is remote code execution at 47%, almost double compared with the November Patch Tuesday release, followed by elevation of privilege at 33% (compared to 40% the previous month). The remaining categories make up 6% or less.

Figure 1. Breakdown of December 2022 Patch Tuesday attack types

The Microsoft Windows product family received the most patches this month (29), followed by Extended Support Updates (16) and Microsoft Office products (14).

Figure 2. Breakdown of product families affected by December 2022 Patch Tuesday

This month, threat actors continued to exploit the vast attack surface that is Windows Print Spooler, now affected by two new bugs. We’ve seen plenty of new patches since PrintNightmare — perhaps we will continue to see new print spooler vulnerabilities in 2023. CVE-2022-44678 and CVE-2022-44681, which have a CVSS of 7.8 and a rating of Important, are being addressed this month. In both cases, the attack vector is Local and user interaction is not required.

Rank CVSS Score CVE Description
Important 7.8 CVE-2022-44678 Windows Print Spooler Elevation of Privilege Vulnerability
Important 7.8 CVE-2022-44681 Windows Print Spooler Elevation of Privilege Vulnerability

Figure 3. Print Spooler vulnerabilities patched in December 2022

See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats. Start your 15-day free trial today.

Critical Bugs Affect SSTP, PowerShell and SharePoint Server

For this month’s release, the Critical vulnerability affecting PowerShell stands out. A PowerShell remote code execution vulnerability (CVE-2022-41076) could allow an authenticated user to escape the PowerShell remoting session configuration and run unapproved commands on the targeted system. This could allow threat actors using tools already on a system to maintain access and move laterally throughout the network. 

Next we have two SharePoint server Critical vulnerabilities (CVE-2022-44690 and CVE-2022-44693) both with a CVSS of 8.8 — the highest for this month. In a network-based attack, an authenticated attacker with Manage Lists permissions could execute code remotely on the SharePoint server, gaining the capability to create and delete lists, add or remove columns in a list, and add or remove public views of a list. The attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint.

As listed in Figure 4, there are also two Critical vulnerabilities affecting Secure Socket Tunneling Protocol (SSTP). CVE-2022-44670 and CVE-2022-44676 could allow a remote, unauthenticated attacker to execute code on an affected system by sending a specially crafted connection request to a server with the RAS Server role enabled. If you aren’t using this service, consider disabling it, and if you are using it, we suggest applying the patches promptly.

Rank CVSS Score CVE Description
Critical 8.8 CVE-2022-44690 Microsoft SharePoint Server Remote Code Execution Vulnerability
Critical 8.8 CVE-2022-44693 Microsoft SharePoint Server Remote Code Execution Vulnerability
Critical 8.5 CVE-2022-41076 PowerShell Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-44670 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-44676 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

Figure 4. Critical vulnerabilities in SSTP, PowerShell and SharePoint Server, December 2022

Other Important Vulnerabilities to Consider

Email client vulnerabilities are not commonly highlighted or considered Critical but CVE-2022-44713, a Microsoft Outlook for Mac spoofing vulnerability, warrants special attention. This bug could enable an attacker to appear as a trusted user when they should not be. This could cause a user to mistakenly trust a signed email message as if it came from a legitimate user. Next on our list is CVE-2022-44704, a Microsoft Windows Sysmon elevation of privilege vulnerability, which could allow a locally authenticated attacker to manipulate information on the Sysinternals services to achieve elevation from local user to SYSTEM admin.

Two Windows kernel bugs are also getting addressed this month. The first, CVE-2022-44683 with a CVSS of 7.8, could be used to elevate privileges to SYSTEM assigned integrity level. Denial of service vulnerability CVE-2022-44707, with CVSS of 6.5, could cause a system to crash, making it inaccessible to its intended users.

Rank CVSS Score CVE Description
Important 7.5 CVE-2022-44713 Microsoft Outlook for Mac Spoofing Vulnerability
Important 7.8 CVE-2022-44704 Microsoft Windows Sysmon Elevation of Privilege Vulnerability
Important 7.8 CVE-2022-44683 Windows Kernel Elevation of Privilege Vulnerability
Important 6.5 CVE-2022-44707 Windows Kernel Denial of Service Vulnerability

Figure 5. Important vulnerabilities to consider, December 2022

Review Your Mitigation Strategy Before 2022 Ends

With only a couple of weeks left in 2022, it’s important to review your strategy and make sure it integrates with the broader organization’s security goals, not just within security operations. Security and operations teams need layered security and tools that help prevent, detect and identify vulnerabilities and guide them through their patching and assessment process. A fresh and up-to-date mitigation strategy will help to reduce the areas of opportunity for attackers, helping your organization remain as secure as possible and prevent any potential breach.

Learn More

This video on CrowdStrike Falcon Spotlight™ vulnerability management shows how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization. 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources