From The Front Lines

Adversaries have long used social engineering to trick their victims into providing access or information not available to the public. Social engineering continues to prove effective and will likely b[…]

ALPHA SPIDER is the adversary behind the development and operation of the Alphv ransomware as a service (RaaS). Over the last year, ALPHA SPIDER affiliates have been leveraging a variety of novel tech[…]

The CrowdStrike Incident Response Executive Preparation Checklist is a template to help organizations consider the roles of their executives before, during and after an incident. CrowdStrike tabletop […]

VANGUARD PANDA Background On May 24, 2023, industry and government sources detailed China-nexus activity in which the threat actor dubbed Volt Typhoon targeted U.S.-based critical infrastructure entit[…]

On June 15, 2023, Progress Software announced a critical vulnerability in the MOVEit file transfer software (CVE-2023-35708). This was the third vulnerability impacting the file transfer software (May[…]

Japan, known for its innovation and efficiency, is a globally recognized industry leader. This puts Japan-based organizations at risk of being recognized as potentially valuable targets by both crimin[…]

Summary Points Organizations around the globe continue to experience the fallout of the MOVEit Transfer exploit CVE-2023-34362 CrowdStrike incident responders have identified evidence of mass file exf[…]

Most hunting enthusiasts agree that the thrill of hunting lies in the chase. Equipped with experience and tools of their trade, hunters skillfully search for signs of prey — a broken twig, a track in […]

Self-extracting (SFX) archive files have long served the legitimate purpose of easily sharing compressed files with someone who lacks the software to decompress and view the contents of a regular arch[…]

CrowdStrike has discovered the first-ever Dero cryptojacking operation targeting Kubernetes infrastructure. Dero is a cryptocurrency that claims to offer improved privacy, anonymity and higher and fas[…]

After dissecting a full year’s worth of interactive intrusion data, the CrowdStrike® Falcon OverWatch™ Elite team has identified the most commonly abused living-off-the-land binaries — and distilled t[…]

CrowdStrike Services identified a novel technique used by threat actors that escapes typical containment practices and permits persistence in victim AWS environments. The technique requires that the a[…]

Adversaries continue to find new and innovative ways to penetrate an organization’s defenses. Defenders who focus on plugging these holes can find themselves exhausted and frustrated. Hunting for adve[…]

Dynamic link library (DLL) hijacking is frequently written about by defenders due to its applications in evading automated detections. This technique is even more frequently used by adversaries in int[…]

In Part 1 of this blog series, we highlighted the benefits of CrowdStrike’s investigative approach and the CrowdStrike Falcon® Real Time Response capabilities for avoiding a significant incident in th[…]

Timing is everything when it comes to responding and recovering from a widespread, destructive attack. As threat actors operate undetected across a victim network and get deeper into the attack lifecy[…]

CrowdStrike recently discovered a new exploit method (called OWASSRF) consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA). The new e[…]

When the CrowdStrike Services team conducts a proactive security engagement, such as a Cybersecurity Maturity Assessment or Tabletop Exercise, it often uses CrowdStrike Falcon® Spotlight to identify w[…]

CrowdStrike Services reviews a recent, extremely persistent intrusion campaign targeting telecommunications and business process outsourcing (BPO) companies and outlines how organizations can defend a[…]

CrowdStrike Falcon OverWatch™ threat hunters frequently uncover security testing activity in the course of routine hunting. While much of this activity can be confidently attributed to planned and san[…]

11/1 UPDATE Additional details and mitigating patches are now available on OpenSSL’s website. Two CVEs have been published: CVE-2022-3602 (buffer overflow with potential for remote code execution) and[…]

The rapid proliferation of cloud technology has empowered organizations to meet complex challenges with innovative solutions. This flexibility, however, is the antithesis of security — each new cloud […]

The CrowdStrike Falcon® Complete™ managed detection and response (MDR) team recently uncovered a creative and opportunistic interpretation of a watering hole attack that leverages GitHub to gain acces[…]

The CrowdStrike Falcon® platform, leveraging a combination of advanced machine learning and artificial intelligence, identified a new supply chain attack during the installation of a chat-based custom[…]

Another turbulent year for cybersecurity finds itself right at home alongside global economic headwinds and geopolitical tensions. This year has been defined by rampant affiliate activity, a seemingly[…]

Impacket, an open source collection of Python modules for manipulating network protocols, contains several tools for remote service execution, Windows credential dumping, packet sniffing and Kerberos […]

The threat presented by today’s adversaries is as pervasive as it is dangerous — eCrime and state-nexus actors alike are attempting to infiltrate companies and organizations of all sizes and across al[…]

CrowdStrike Services recently performed an investigation that identified a compromised Mitel VOIP appliance as the threat actor’s entry point. The threat actor performed a novel remote code execution […]

When a breach occurs, time is of the essence. The decisions you make about whom to collaborate with and how to respond will determine how much impact the incident is going to have on your business ope[…]

CVE-2022-30190, aka Follina, was published by @nao_sec on Twitter on May 27, 2022 — the start of Memorial Day weekend in the U.S. — highlighting once again the need for round-the-clock cybersecurity c[…]

An adversary’s ability to live off the land — relying on the operating system’s built-in tooling and user-installed legitimate software rather than tooling that must be brought in — may allow them to […]

The security landscape is constantly developing to provide easier ways to establish endpoint visibility across networks through the use of endpoint detection and response (EDR) utilities. However, cer[…]

The CrowdStrike Falcon® OverWatch™ proactive threat hunting team has uncovered a sophisticated .NET-based post-exploitation framework, dubbed IceApple. Since OverWatch’s first detection in late 2021, […]

Container and cloud-based resources are being abused to deploy disruptive tools. The use of compromised infrastructure has far-reaching consequences for organizations who may unwittingly be participat[…]

Every security professional dreads “The Phone Call.” The one at 2 a.m. where the tired voice of a security analyst on the other end of the line shares information that is soon drowned out by your hear[…]

Multiple investigations and testing by the CrowdStrike Services team identified inconsistencies in Azure AD sign-in logs that incorrectly showed successful logins via Internet Mail Access Protocol (IM[…]

In an effort to stay ahead of improvements in automated detections and preventions, adversary groups continually look to new tactics, techniques and procedures (TTPs), and new tooling to progress thei[…]

Over recent months, the CrowdStrike Falcon® OverWatch™ team has tracked an ongoing, widespread intrusion campaign leveraging bundled .msi installers to trick victims into downloading malicious payload[…]

The CrowdStrike Falcon OverWatch™ 2021 Threat Hunting Report details the interactive intrusion activity observed by hunters from July 2020 to June 2021. While the report brings to light some of the ne[…]

In November 2021, a vulnerability was discovered in a ubiquitous Linux module named Polkit. Developed by Red Hat, Polkit facilitates the communication between privileged and unprivileged processes on […]

StellarParticle is a campaign tracked by CrowdStrike as related to the SUNSPOT implant from the SolarWinds intrusion in December 2020 and associated with COZY BEAR (aka APT29, "The Dukes"). The Stella[…]

The results from the 2021 Global Security Attitude Survey paint a bleak picture of how organizations globally are feeling about the cybersecurity landscape before them. Organizations are grappling wit[…]

In an incident response investigation, CrowdStrike analysts use multiple data points to parse the facts of who, what, when and how. As part of that fact-finding mission, analysts investigating Windows[…]

The CrowdStrike Incident Response Tracker is a convenient spreadsheet that includes sections to document indicators of compromise, affected accounts, compromised systems and a timeline of significant […]

Following the Dec. 9, 2021, announcement of the Log4j vulnerability, CVE 2021-44228, CrowdStrike Falcon® OverWatch™ has provided customers with unrivaled protection and 24/7/365 vigilance in the face […]

Note: This post first appeared in r/CrowdStrike. First and foremost: if you’re reading this post, I hope you’re doing well and have been able to achieve some semblance of balance between life and work[…]

The recently discovered Log4j vulnerability has serious potential to expose organizations across the globe to a new wave of cybersecurity risks as threat actors look to exploit this latest vulnerabili[…]

The Log4j vulnerability burst onto the scene just a few weeks ago, but to many defenders it already feels like a lifetime. It has rapidly become one of the top concerns for security teams in 2021, and[…]

CrowdStrike Falcon OverWatch™ recently released its annual threat hunting report, detailing the interactive intrusion activity observed by hunters over the course of the past year. The tactics, techni[…]

CrowdStrike Incident Response teams leverage Falcon Identity Threat Detection (ITD) for Microsoft Active Directory (AD) and Azure AD account authentication visibility, credential hygiene and multifact[…]

The breadth and depth of data available to CrowdStrike Falcon OverWatch™ threat hunters has the potential to be a double-edged sword. On one side, the wealth of data gives hunters the comprehensive vi[…]

Throughout 2021, the CrowdStrike Falcon OverWatch™ team has observed the volume of cryptojacking intrusions more than quadruple compared to 2020. ECrime adversaries are using cryptojacking as a means […]

CrowdStrike Falcon OverWatch™ recently released its annual threat hunting report, detailing the interactive intrusion activity observed by hunters over the course of the past year. Intrusions against […]

For a defender, time is critical. As CrowdStrike Falcon® OverWatch™ threat hunters know firsthand, adversaries can move from initial access to lateral movement in just minutes. This blog and the real […]

This blog describes how the CrowdStrike Falcon® Complete™ team quickly responded to a recent campaign involving the SolarWinds Serv-U product exploitation. SolarWinds issued a public notice of the vul[…]

LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowle[…]

Today’s security defenders are faced with a continuously evolving battleground. The number of security vulnerabilities uncovered annually has grown every year for the past four years. Moreover, advers[…]

The race between hunter and hunted is defined as much by stealth as it is by speed. In Part 2 of this two-part blog series, we dive into why having hunters immersed full time in the threat hunting mis[…]

Performing memory analysis in incident response investigations can be tedious and challenging because of the lack of commercial options for processing memory samples, no all-in-one open-source tools t[…]

There is an endless struggle between hunters and adversaries. As soon as hunters shine a light on the latest malicious activities, adversaries pivot and find a new way to hide in the shadows. Indeed, […]

Since September 2019, Falcon OverWatch™ has been tracking an as yet unattributed actor, conducting targeted operations against organizations within the Asia Pacific (APAC) semiconductor industry. Crow[…]

This time last year, the CrowdStrike Falcon® OverWatch™ reported on mounting cyber threats facing organizations as they raced to adopt work-from-home practices and adapt to constraints imposed by the […]

The security operations center, or SOC, is the heart and soul of an enterprise that identifies, investigates and remediates security threats. However, modern-day threats continue to evolve, making it […]

This is Part 2 of a three-part blog series. Read Part 1 and Part 3. CrowdStrike has observed a significant increase in eCrime actors targeting VMware ESXi hypervisors with ransomware since our Februar[…]

Two severe Windows NT LAN Manager (NTLM) vulnerabilities were recently disclosed: PetitPotam and AD-CS relay (specifically ESC8). These vulnerabilities follow a pattern of NTLM issues in recent years.[…]

The Advanced Research Team at CrowdStrike Intelligence discovered two vulnerabilities in SonicWall Global Management System 9.3 (GMS) that, when combined, allow unauthenticated attackers to remotely e[…]

In this blog, we describe a recent incident that highlights the CrowdStrike Falcon® Complete™ managed detection and response team’s ability to act as an extension of our customer’s security team to qu[…]

In this blog, we describe a campaign of recent activity where CrowdStrike observed an actor likely related to CARBON SPIDER performing SQL injections in order to gain code execution as an initial infe[…]

To effectively respond to a cybersecurity incident, having complete visibility into all assets (endpoint devices, applications, user accounts) across your IT estate is a critical success factor for re[…]

Managed service providers (MSPs) provide extremely important and valuable services by assisting organizations with information technology related tasks such as provisioning software or Active Director[…]

CrowdStrike recently observed a ransomware sample borrowing implementations from previous HelloKitty and FiveHands variants and using a Golang packer compiled with the most recent version of Golang (G[…]

The term “threat hunting” is increasingly thrown around the cybersecurity industry as a catch-all for any proactive or human-lead defensive security measures. This is evidenced by the SANS 2020 Threat[…]

In this blog, we describe a string of recent incidents in which the CrowdStrike Falcon® Complete™ team observed a financially motivated eCrime operator (likely WIZARD SPIDER) use compromised external […]

In 2020, CrowdStrike Services observed the continued evolution and proliferation of eCrime adversaries engaging in big game hunting (BGH) ransomware techniques. This trend is continuing into 2021 — a […]

A recent sophisticated phishing campaign that delivers advanced malware is targeting diplomatic and sensitive organizations and think tanks around the world. This activity cluster, tracked by CrowdStr[…]

BLOG UPDATE AUG. 6, 2021: Following further communication with the SonicWall PSIRT, the vulnerability was identified as CVE-2021-20028, affecting End of Life SonicWall VPN Devices running SMA/SRA vers[…]

CrowdStrike predicted in 2020 that the ransomware threat would only worsen, and news reports since have borne this out. Stories of ransomware attacks since the start of May 2021 alone include: DarkSid[…]

Although malvertising has been around for quite a while, it continues to be an effective way to lure unsuspecting users to install malware. In this blog, we describe a clever malvertising campaign tha[…]

Ransomware is becoming increasingly pernicious — recently, the DarkSide attack disrupted a major U.S. fuel pipeline, and soon after another ransomware attack targeted four countries connected with the[…]

This Falcon Complete incident response investigation recap was originally published by IT-daily.net on Apr. 13, 2021. It was late on a Saturday afternoon, and the Southern Hemisphere CrowdStrike Falco[…]

The ongoing ransomware outbreak has led to frequent and significant security incidents at organizations across the globe, such as the recent DarkSide attack that disrupted a major fuel pipeline — one […]

The CrowdStrike Falcon® platform provides CrowdStrike clients with protection from DarkSide ransomware DarkSide is a ransomware as a service (RaaS) associated with an eCrime group tracked by CrowdStri[…]

This blog describes a recent incident that highlights the CrowdStrike Falcon® Complete™ team’s ability to act as an extension of a customer’s security team to quickly detect, triage and contain an act[…]

Hardly a day passes without news of another company, hospital, school district or municipal government temporarily brought to a halt by ransomware. In fact, ransomware attacks have become so commonpla[…]

Ransomware is hardly new, but several recent high-profile cases underscore that it not only remains a persistent threat, it’s also a growing one. The “great pivot” to remote work in 2020 increased the[…]

The “Great Pivot” of 2020, when the global pandemic forced many organizations to allow employees work from anywhere, accelerated both the adoption of cloud technology and support for hybrid working en[…]

This week, Microsoft reported a rare cybersecurity event: an ongoing mass exploitation of Microsoft Exchange servers by an alleged state-sponsored adversary, driven through a variety of zero-day explo[…]

Extended Berkeley Packet Filter, or eBPF, is a fascinating part of the Linux kernel that has seen rapid growth and improvement over the last few years. Originally designed for high-speed packet filter[…]

The academic and education industry is large and complex. It comprises a diverse range of institutions, from elementary schools through to research organizations, and spans both the public and private[…]

In this blog, we take a look at a recent detection that was blocked by the CrowdStrike Falcon®® platform’s next-generation antivirus (NGAV). SolarMarker* backdoor features a multistage, heavily obfusc[…]

The modern IT organization has a wide variety of responsibilities and competing priorities. As a result, cybersecurity is often overlooked in favor of projects that have an immediate impact on busines[…]

A recent article in Dark Reading, “Nowhere to Hide: Don’t Let Your Guard Down This Holiday Season” by CrowdStrike Product Director Scott Taschler, provides ominous warnings of adversary activity and p[…]

When a cybersecurity incident occurs, it can be an overwhelming experience resulting in infected endpoints, data theft, user disruption, extortion and even downtime that causes business interruption. […]

The annual CrowdStrike Services Cyber Front Lines Report released this month shares statistics, trends and themes gleaned from a year’s worth of data and observations by our world-class incident respo[…]

Executive Summary CrowdStrike launches CrowdStrike Reporting Tool for Azure (CRT), a free community tool that will help organizations quickly and easily review excessive permissions in their Azure AD […]

In this blog, we take a look at a recent incident that involved a persistent browser hijacking rootkit dubbed “Spicy Hot Pot.” The name comes from Huorong (Tinder) Security, which first publicly repor[…]

Malware remediation is not always clear-cut. In this blog post, the CrowdStrike® Falcon Complete™ and Endpoint Recovery Services teams take you behind the scenes to highlight just one of numerous chal[…]

The CrowdStrike Services team has issued its latest report: “CrowdStrike Services Cyber Front Lines Report: Observations From the Front Lines of Incident Response and Proactive Services in 2020 and In[…]

Digital transformation initiatives are accelerating the adoption of cloud technologies across industries as organizations look to evolve their business processes and models. CrowdStrike and AWS are wo[…]

Life on the farm isn’t what it used to be. With overall cyberattacks on the rise, even agriculture has found itself in the crosshairs of cyber threat actors. In fact, during the last ten months alone,[…]

In the post-close phase of an M&A transaction, the deal may be done but the job of integration has just begun. From a systems point of view, this means connecting the networks, applications, directori[…]

This is Part 2 of our three-part blog series on the critical importance of cybersecurity in the M&A process. Part 1 addressed due diligence, and in this blog, we cover the pre-close phase. Part 3 disc[…]

COVID-19 has disrupted virtually every aspect of business, and the mergers and acquisitions (M&A) pipeline is no exception. However, while overall M&A activity had fallen by more than 55% year over ye[…]

This blog is the last in a three-part series presenting the CrowdStrike® Falcon Complete™ team’s analysis of the recent QakBot campaigns observed in the wild and outlining a strategy for the remote id[…]

Threat hunting is the discipline of employing human analysts to actively search for and disrupt distinctly human threats. It leverages smart and creative defenders to identify the stealthy techniques […]

This blog is Part 2 of a three-part blog series detailing the reemergence and evolution of QakBot in the spring and summer of 2020. In this installment we cover analysis of the QakBot ZIP-based delive[…]

Adversaries constantly develop new tactics that enhance their capabilities to deploy malware across networked environments and monetize infected systems. This blog is Part 1 of a three-part series det[…]

In recent months, CrowdStrike® Services has observed a continued increase in the use of Cobalt Strike by eCrime and nation-state adversaries to conduct their operations following the initial access to[…]

CrowdStrike® Falcon OverWatch™ has released its new report, 2020 Threat Hunting Report: Insights from the CrowdStrike Falcon® OverWatch Team. Now in its third year, this report continues to pull back […]

In this blog, we describe a recent incident that highlights the CrowdStrike® Falcon Complete™ team’s ability to act as an extension of our customer’s security team to quickly detect, triage and contai[…]

As of macOS 10.12 Sierra, incident responders have been able to turn to a new endpoint log source for investigative answers: the Apple Unified Log (AUL). This log format, standardized across the Apple[…]

In Part 1 of this two-part blog series, we addressed binary exploitation on Windows systems, including some legacy and contemporary mitigations that exploit writers and adversaries must deal with in t[…]

In Part 1 of this two-part “Tales from the Trenches” blog, we examined a stealthy Remote Desktop Protocol (RDP) intrusion uncovered by CrowdStrike® Falcon CompleteTM experts. In this installment, we’l[…]

Welcome to the CrowdStrike® Falcon CompleteTM team’s first “Tales from the Trenches” blog, where we describe a recent intrusion that shows how the Falcon Complete managed detection and response (MDR) […]

Memory corruption exploits have historically been one of the strongest accessories in a good red teamer's toolkit. They present an easy win for offensive security engineers, as well as adversaries, by[…]

Over the past year, CrowdStrike® Services has observed threat actors increasingly targeting macOS environments — and using relatively unsophisticated methods to gain access. Even though workplace macO[…]

Since January 2020, the CrowdStrike® Falcon OverWatch™ managed threat hunting team has observed an escalation in hands-on-keyboard activity. The COVID-19 pandemic has fundamentally shifted the way bus[…]

This is Part 2 in a two-part blog series covering the CrowdStrike® Falcon Complete™ team’s ability to remotely remediate “TrickBot,” a modular trojan that is particularly devastating when paired with […]

The combination of commodity banking malware and ransomware is nothing new in the threat landscape. Adversaries continue to develop new tactics that enhance their capabilities to quickly spread malwar[…]

Companies are increasingly relying on cloud-based infrastructure, especially as more of their employees are working remotely — and may continue to do so. Public, private and hybrid clouds allow access[…]

June 5, 2020 UPDATE Blog update following the release of the testimony by Shawn Henry, CSO and President of CrowdStrike Services, before the House Intelligence Committee that was recently declassified[…]

As organizations deal with newly remote workers and business uncertainty, prevention is more important than ever. Cyberattackers are looking to capitalize on the current climate and seek vulnerabiliti[…]

During a cybersecurity investigation, digital forensics and incident response (DFIR) professionals need to obtain information from different artifacts to determine exactly what has occurred on a machi[…]

With offense-focused methodologies being created around “living off the land” and “bring your own land,” we would like to cover a somewhat overlooked concept: “staying off the land.” This simple conce[…]

In recent weeks and months, the world has witnessed the global COVID-19 pandemic place unprecedented pressure on the healthcare system. Concurrently, the pandemic has been the catalyst for a paradigm […]

Vulnerability and patch management is a decades-old cybersecurity problem, and given the current worldwide pandemic and how nation-state and eCrime adversaries are exploiting it — mitigating vulnerabi[…]

The growing adversary focus on “big game hunting” (BGH) in ransomware attacks — targeting organizations and data that offer a higher potential payout — has sparked a surge in the use of BloodHound, a […]

Your organization is constantly under attack, and every day, adversaries are developing new ways to breach your network. How can you keep them out? You need to know about today’s most common attack te[…]

The cybersecurity landscape is always evolving, but one thing remains constant: Cyber adversaries continue to be relentless and innovative in their efforts to find gaps in your organization’s security[…]

A new report from CrowdStrike® Services titled “Achieving Security Maturity: A Roadmap to Building a Robust Cybersecurity Capability” addresses the three questions organizations must answer if they ar[…]

A new report from CrowdStrike® Services titled “Achieving Security Maturity: A Roadmap to Building a Robust Cybersecurity Capability,” examines the characteristics of a mature cybersecurity program — […]

This blog originally appeared on Nov.20, 2019, as an article in LawyersWeekly.com.au, a site dedicated to independent news, analysis and opinion about the practice of law in Australia. It was written […]

Given the current threat landscape, most organizations will likely encounter a cyber incident at some point, which will require them to respond and manage it effectively. The speed, efficiency and ski[…]

Although the world of mineware is not new to the security industry, it continues to grow as adversaries develop new capabilities to compromise systems and turn them into bots used for mining cryptocur[…]

In Mac OSX Lion (10.7), Apple introduced a feature called “User Interface (UI) Preservation”, intended to save the state of application windows and restore them upon future launches. Like many feature[…]

The CrowdStrike® Falcon OverWatch™ elite threat hunting team has released a new report, The 2019 OverWatch Mid-Year Report: Observations from the Front Lines of Threat Hunting. This is the second year[…]

We sit in a dusty break room, notepads in hand, and nervously watch the corporate IT cybersecurity and industrial operational technology (OT) teams meet one another for the first time. The OT team — c[…]

The tactic of singling out large organizations for high ransom payouts has signaled a shift in the eCrime ecosystem, with a focus on targeted, low-volume, high-return criminal activity. It’s a type of[…]

Parents have an inherent predisposition to believe their children are absolutely beautiful. Even when their children aren't much more than tiny blobs that eat, sleep and cry (read: newborns), parents […]

It happened again a couple months ago; an eerie sense of déjà vu as I read reports about suspected malware-enabled ATM jackpotting in Latin America. I had seen this attack before — not in the headline[…]

This blog shares information on some examples of how the CrowdStrike® Falcon® OverWatch™ team has observed the open-source tool known as Mimikatz being used in the wild – including an unusual use of t[…]

BokBot: Proxy Module This article is a continuation of CrowdStrike’s recent blog, “Digging Into BokBot’s Core Module,” and provides a detailed analysis of the inner workings of the BokBot proxy module[…]

Performing macOS incident response (IR) investigations can be challenging, considering the difficulties in quickly capturing, parsing and analyzing forensic data across disparate affected systems. Rec[…]

\ CrowdStrike® Falcon® detections now align with the MITRE ATT&CK™ framework, a valuable tool that provides consistent, industry-standard terminology for describing and analyzing detections. Sometimes[…]

Threat actors that target eCommerce platforms to skim credit card information from online shoppers are commonly referred to under the umbrella threat actor name “Magecart.” This blog analyzes recently[…]

The security community is quickly adopting the MITRE ATT&CK framework as a standard way to categorize adversary intrusion behavior. However, one of its potential limitations is a lack of historical in[…]

Introduction BokBot, developed and operated by the actor named LUNAR SPIDER, was first observed in 2017 and the CrowdStrike’s Falcon® Overwatch™ and Falcon Intelligence™ teams have analyzed these infe[…]

At the end of September 2018, the CrowdStrike® Falcon OverWatch™ team identified suspicious interactive activity on a Linux host within a customer’s network infrastructure. An unknown actor accessed a[…]

It’s not the disk forensics. It’s not the log analysis. It’s not even the lawyers (we love working with law firms!). It’s the lack of an effective technology deployment strategy. CrowdStrike® Services[…]

Dealing with an active, dedicated adversary during an incident is very different than what many consider the more “traditional” incident response process of finding and removing malware. The tradition[…]

"Continuous integration (CI) is the process of automating the build and testing of code every time a team member commits a change." — Sam Guckenheimer, Microsoft Azure Introduction Jenkins is the lead[…]

The discovery by security researchers in March 2018 of a PDF sample that contains exploits for two zero-day vulnerabilities has confirmed that exploiting PDF readers is still considered a viable attac[…]

For the last two decades or more, cybersecurity and its failures have directly impacted organizations’ bottom lines.The call for boards of directors and C-level executives to take a more active role i[…]

Kovter is a well known form of clickjacking malware that has been around for years. While it is mostly nuisance malware, it incorporates neat tricks that are far more advanced than its use case would […]

Introduction Analysts that perform macOS forensics have had few, if any, artifacts of program execution to rely on during investigations — until now. In macOS 10.13 (High Sierra), Apple introduced Cor[…]

Introduction This blog introduces some of the innovative techniques the CrowdStrike Data Science team is using to address the unique challenges inherent in supporting a solution as robust and comprehe[…]

Update: While this blog post originally covered the Office 365 Activities API, that functionality has been disabled by Microsoft as of Friday, June 6, 2018. However, there are still data sources avail[…]

Introduction This analysis provides an in-depth view of the Samsam ransomware, which is developed and operated by the actor tracked by CrowdStrike® Falcon Intelligence™ as BOSS SPIDER. The infection c[…]

Introduction This blog tells the story of a failed Samba exploitation attempt. The goal was to assess what it would take for an adversary to weaponize publicly disclosed vulnerabilities in Samba. The […]

Defending an organization from today’s sophisticated attacks is no easy task. It often requires security teams to be ready at a moment’s notice to respond to an incident, in addition to managing the d[…]

Cryptocurrencies are in high demand. The usage and monetary value of Bitcoin, Litecoin, Ethereum, and many others have skyrocketed worldwide. The increase in purchasing power and liquidity is driving […]

The much-anticipated CrowdStrike® Cyber Intrusion Services Casebook for 2017 offers detailed accounts of some of the cases the CrowdStrike Services incident response (IR) team has investigated over th[…]

The latest computer flaws to make global headlines are ominously titled “Spectre” and “Meltdown” and they represent a unique breed of trouble, requiring unprecedented industry collaboration and manual[…]

Overview This post continues the technical analysis of the BadRabbit ransomware attacks discussed in Part One of this two-part series. Part One described how BadRabbit uses MS17-010 to both leak a tra[…]

Overview On October 23, 2017, CrowdStrike® became aware of a new type of ransomware called BadRabbit. The initial infection occurred via a drive-by download masquerading as an Adobe Flash update. Once[…]

Overview Recently, CrowdStrike® analyzed the backdoor embedded in the legitimate PC cleaning utility CCleaner version 5.33, as reported in the blog post Protecting the Software Supply Chain: Deep Insi[…]

Update: Due to naming convention consistency in the industry, CrowdStrike is now calling this variant of Petya - NotPetya. Executive Summary This technical analysis is a continuation of the previous t[…]

Update: Due to naming convention consistency in the industry, CrowdStrike is now calling this variant of Petya - NotPetya. Executive Summary This technical analysis provides an in-depth analysis and r[…]

Update: Due to naming convention consistency in the industry, CrowdStrike is now calling this variant of Petya - NotPetya. On June 27 at approximately 10:30 UTC, a new ransomware family began propagat[…]

Internet extortion and “datanapping” have become common occurrences, with increasingly high-profile victims ranging from hospitals to Hollywood studios. A new webcast explores the growth in stealthy e[…]

In a recent CrowdCast webinar, CrowdStrike’s Senior Director of Hunting Operations, Kris Merritt, discusses core problems associated with automating cybersecurity detection and how companies seeking t[…]

With the ongoing need to effectively and quickly detect and respond to attacks, CrowdStrike is excited to release a new version of CrowdResponse. This new update introduces the addition of @Tasks to p[…]

Over the past few months CrowdStrike has conducted several investigations in the hospitality, food services, and gaming industries, helping organizations investigate and remediate attacks by criminal […]

Owning the Image Object File Format, the Compiler Toolchain, and the Operating System As the Windows kernel continues to pursue in its quest for ever-stronger security features and exploit mitigations[…]

As we move through this Red Team vs. Blue Team series, our intent is to provide insight into both sides of the struggle. That said, detecting reconnaissance activity is something that few blue teams s[…]

With the current threat landscape and likelihood of targeted attacks, organizations are dealing with myriad attempts to breach their network on a daily basis. This makes understanding how attackers le[…]

In my previous blog post titled “’You Want Me to Do What?’ A Guide to Interpreting Cybersecurity Recommendations”, we discussed various pitfalls related to interpreting and implementing cybersecurity […]

CrowdStrike recently conducted an investigation for a client operating in the healthcare sector that was subject to an ongoing phishing scam focused on harvesting credentials for cloud email providers[…]

Across all of the nation-state targeted attacks, insider thefts, and criminal enterprises that CrowdStrike has investigated, one thing is clear: logs are extremely important. Event logs from individua[…]

Congratulations! You’ve reached the end of yet another proactive engagement with a security services provider. Now that the engagement is over, what does that mean for you and your business? It usuall[…]

Introduction The Chopper Web shell is a widely used backdoor by Chinese and other malicious actors to remotely access a compromised Web server. Deployment of the Chopper shell on the server is fairly […]

With the ever-increasing need for speed and accuracy for digital investigations and incident response, it is imperative that organizations are able to provide answers quickly. These organizations rely[…]

Intro and Installation A dedicated endpoint monitoring tool is quickly becoming a necessity among organizations to increase visibility, logging, and alerting to combat targeted attacks and commodity m[…]

In our last post, Shawn Henry, president of CrowdStrike Services and sought-after cybersecurity expert, talked with us about cybersecurity trends in 2014 and 2015. In this installment of that conversa[…]

The Adversary Manifesto recently spoke with Shawn Henry, President of CrowdStrike Services about geopolitics and cybersecurity. Henry is a sought-after expert on cybersecurity who was formerly the exe[…]

Adam Meyers runs CrowdStrike's Global Threat Intelligence team and is responsible for creating actionable intelligence that enables customers to understand the who, what, and why of a targeted attack.[…]

Disclaimer: CrowdStrike derived this information from investigations in non-classified environments. Since we value our client's privacy and interests, some data has been redacted or sanitized. In pre[…]

Disclaimer: CrowdStrike derived this information from investigations in non-classified environments. Since we value our clients’ privacy and interests, some data has been redacted or sanitized. In our[…]

Disclaimer: CrowdStrike derived this information from investigations in non-classified environments. Since we value our client's privacy and interests, some data has been redacted or sanitized. Crowds[…]