OverWatch enriched process treeįurther reviewing the process tree with added OverWatch enrichment, Falcon identified multiple CMD.EXE instances executing under Microsoft SQL Server. Threat hunters from the Falcon OverWatch team identified a broad range of reconnaissance activity as highly suspicious, and flagged the additional activity for review 11 minutes after the initial detection occurred.įigure 2. The Falcon Complete team acknowledged and began investigating the detections within 6 minutes.
Falcon Complete Investigates and Respondsįalcon Complete began responding to detections triggered within the CrowdStrike Falcon® platform tagged with MITRE ATT&CK technique T1059, “Execution via PowerShell” where a Microsoft SQL Server executable was blocked from launching a PowerShell script. Knowing an adversary and their intent is powerful knowledge during the triage and remediation process to best track past activity and anticipate future actions. Partnering with CrowdStrike Intelligence allows these teams to take advantage of incident attribution, such as understanding adversary motives (targeted, financial, or hacktivism ), their Tactics, Techniques, and Procedures (TTPs), as well as enabling proactive discovery of actor Indicators of Attack and Indicators of Compromise to keep customers safe. Leveraging Falcon OverWatch and their expert threat hunters, Falcon Complete is able to perform timely surgical remediation, extract important artifacts, and ultimately stop breaches. Ĭollaboration between Falcon Complete, Falcon OverWatch and CrowdStrike Intelligence is a force multiplier protecting customers from the latest threats.
The attack demonstrates how CARBON SPIDER has likely introduced new tactics, techniques and procedures (TTPs) following the actor’s apparent termination of the Darkside ransomware-as-a-Service program in response to scrutiny following the Colonial Pipeline Darkside incident. A combined effort from Falcon Complete™ (managed detection and response), Falcon OverWatch™ (managed threat hunting), and CrowdStrike Intelligence uncovered this campaign. In this blog, we describe a campaign of recent activity where CrowdStrike observed an actor likely related to CARBON SPIDER performing SQL injections in order to gain code execution as an initial infection vector.
0 kommentar(er)
