Someone bypassed Crowdstrike Falcon

The answer depends on the view of the person giving you the answer. If it is a CS employee or marketing person, they will tell you that the “EDR component would have spotted it”, never mind the fact that EDR is a pay to play add-on, so for most organizations that statement is bull and more of an up-sell op than anything else. If you are a blue-teamer and you have eyes on glass, you will see something but it depends solely based on the configuration of policies for that machine… so you better have someone looking at the console monitoring specifically for that activity AND you better have the machine in a policy that doesn’t cripple the machine.

As mentioned in the beginning of the article, Crowdstrike monitors Living-off-the-Land techniques and does really well, like really well; however, it really doesn’t matter if there is priv-esc or not. Crowdstrike runs at System. Any attempt to tamper with it (even if you elevated to System) sends an alarm. System making a call to some weird binary? Alarm. System making a lateral connection? Alarm. System ripping apart the SAM database or calling other shell code? Recorded and a potential alarm.

There is only one other tool I know that records even better than CS and that is Digital Guardian and that agent is loaded with the kernel, yet their EDR solution is m’eh (though they place with CS according to Gartner). Ultimately, at the end of the day though, unless you got the bodies to look through all of the alarms, it really doesn’t matter what steps were taken next.

Leave a Reply