Dealing with an active, dedicated adversary during an incident is very different than what many consider the more “traditional” incident response process of finding and removing malware. The traditional approach to incident response has been to remove the malware, or to go as far as re-imaging the system and placing it back into service in a “known-clean” state.
However, dedicated adversaries are adept at persisting within a compromised infrastructure and because of this, the speed at which organizations detect and respond to these threats is critical. Even moderately-skilled adversaries can prove to be tenacious, based on activity observed by CrowdStrike® CrowdStrike Falcon® OverWatch™ threat hunters.
An incident from October 2018 provided insight into the mindset of an adversary whose tool deployment activities were prevented by Falcon, and subsequently were observed conducting troubleshooting steps in an attempt to expand their beachhead and carry out their mission objectives.
Expanding Foothold
In one instance, OverWatch analysts identified triggered hunting leads indicating the presence of a persistent adversary. In this case, attempts by the adversary to expand their foothold were inhibited by Falcon Prevent™, CrowdStrike’s next-generation antivirus (NGAV) solution, which blocked the second-stage download of a remote access Trojan (RAT). Malicious activity was disrupted for several months until the adversary returned to the network, this time using PowerShell to connect to their command and control (C2) infrastructure.Although the adversary was able to ping their C2 server, repeated attempts to use PowerShell commands to download additional implants were also prevented by Falcon blocking the adversary from expanding their foothold.
Try, Try Again
At that point, it clearly dawned on the attackers that some sort of local security control was interfering with their attempts to connect to their C2 infrastructure via PowerShell, and OverWatch analysts observed the adversary attempting to disable security applications.The adversary first used PowerShell commands to attempt to disable Windows Defender real-time monitoring capability, then attempted to uninstall Windows Defender. The adversary then used the native Windows msiexec.exe application to try to uninstall variants of a major antivirus (AV) application, using two dozen different, globally unique identifiers (GUIDs) associated with that product line. OverWatch analysts saw a single attempt to discern if a specific security application was installed on the host; however, it was not the same application as the major AV product. At that point, showing increasing signs of frustration, the adversary took a “shotgun” approach to the uninstall process, which was both noisy and ineffective. This is likely because although their attempts to connect to their C2 infrastructure were being blocked by Falcon, they believed their attempts were being blocked by other security products.
Fast Detection and Response
The activity observed by the Falcon OverWatch team further illustrates that these dedicated adversaries remain undeterred and will actively troubleshoot issues they encounter, even modifying the compromised hosts to meet their needs and establish persistence within the infrastructure, disabling security tools as a means of defensive evasion. As such, full enterprise visibility and strong preventative controls are a requirement. Without it, monitoring and preventing the full extent of the actor’s activities and determining the initial infection vector (IIV) or entry point would be significantly hindered or perhaps impossible.Beyond the instrumentation and visibility required to support early detection of an adversary’s activities, it’s absolutely critical that organizations also have the ability to respond as quickly as possible to get ahead of the adversary and obviate their attempts to establish a foothold in the environment, denying them the opportunity to persist and expand laterally.