CrowdStrike’s Advanced Memory Scanning Stops Threat Actor>
– Matt Weiner – Sean Pagano – Shaun Hurley
Case Study from the Field A recent intrusion at a telecommunications customer demonstrates the effectiveness of the Falcon platform at alerting on a pre-existing compromise, as well as multiple attempts by the threat actor to move laterally across their network, establish new persistence and gain a foothold via the commercial red-teaming and adversarial attack simulation tool Brute Ratel C4 (BRc4).When the threat actor attempted to use BRc4, the Falcon platform detection capability prevented the malicious activity, allowing the CrowdStrike® Falcon OverWatch™ managed threat hunting team and CrowdStrike Falcon® Complete managed detection and response ( MDR ) team to secure the endpoint and analyze the adversary tactics, techniques and procedures (TTPs).It was designed to incorporate features by default to avoid detection by EDR and antivirus (AV) capabilities, and it deploys agents called “Badgers” to facilitate an adversary’s objectives across the entire kill-chain including lateral movement, privilege escalation and persistence ( https://attack.mitre.org/software/S1063/ ).(click to enlarge)
Investigation identified a related intrusion activity on another endpoint five days earlier, where the Falcon platform had detected a cluster of suspicious operations including indicators of reconnaissance via a webshell, copying of malicious binaries to the endpoint, and attempts at persistence via registry modifications.Using valid credentials ( T1078.002 ), the threat actor then copied several binaries to a sub-directory of %APPDATALOCAL% including Microsoft Windows netsh.exe , a malicious, packed (via VMProtect 1 ) DLL masquerading as a legitimate copy of Microsoft’s ifmon.dll , and an encoded BRc4 Badger v1.6 2 payload, cache.dat .A comparison of the file meta data between the malicious ifmon.dll (left) and the non-malicious ifmon.dll (right) (click to enlarge)
Finally, the threat actor executed netsh.exe , which forced the malicious ifmon.dll to be loaded into process memory via DLL sideloading ( T1574.002 ).Prevented reg.exe persistence and netsh.exe DLL sideload of BRc4 loader (click to enlarge)
How CrowdStrike Is Protecting You As EDR solutions increasingly cover fileless attacks and suspicious Windows API usage, attacker behavior is constantly evolving to implement alternative Reflective Code Loading (T1620) and Process Injection (T1055) methods.Read about a CrowdStrike Falcon feature, Hardware Enhanced Exploit Detection, that leverages a CPU feature, Intel Processor Trace (Intel PT), to detect and prevent code reuse exploits: CrowdStrike Strengthens Exploit Protection Using Intel CPU Telemetry .
Link: https://www.crowdstrike.com/blog/crowdstrikes-advanced-memory-scanning-stops-threat-actor/