Engineering & Tech
Enterprise Remediation with CrowdStrike and MOXFIVE, Part 2: Strategies for Containing and Recovering
CrowdStrike Falcon® Next-Gen SIEM enables companies to search, investigate and hunt down threats, including detection of advanced ransomware targeting VMware ESXi Initial access to the ESXi infrastruc[…]
3 Critical Steps for Application Security Teams in 2024
Software development practices are rapidly changing, and so are the methods adversaries use to target custom applications. The rise of loosely coupled applications, along with an impressive increase i[…]
CrowdStrike Wins Frost & Sullivan 2024 Cloud Leadership Award
CrowdStrike’s Advanced Memory Scanning detected BRc4 execution in the wild. CrowdStrike has integrated new indicators of attack (IOAs) for modern endpoint detection and response (EDR) evasion techniqu[…]
The Windows Restart Manager: How It Works and How It Can Be Hijacked, Part 2
In the first part of this series, we provided a brief overview of the Windows Restart Manager. In this blog post, we examine how these mechanisms can be exploited by adversaries and review how the Cro[…]
The Windows Restart Manager: How It Works and How It Can Be Hijacked, Part 1
Malware utilizes a multitude of techniques to avoid detection, and threat actors are continuously uncovering and exploiting new methods of attack. One of the less common techniques includes the exploi[…]
How CrowdStrike Uses Similarity-Based Mapping to Understand Cybersecurity Data and Prevent Breaches
CrowdStrike data scientists describe a new similarity paradigm to organize information and make it accessible, searchable and mappable The new similarity-based mapping of cybersecurity data associates[…]
Cracking the Code of AI Decision Making: Harnessing the Power of SHAP Values
Machine learning explainability ensures that AI models are transparent, trustworthy and accurate Explainability enables data scientists to understand how and why an AI model arrived at a particular de[…]
Python 2to3: Tips From the CrowdStrike Data Science Team
The CrowdStrike Falcon® platform leverages similarity search at scale to drive up efficacy PowerShell-based attacks are on the rise and many malware authors save time and effort by using artificial in[…]
CrowdStrike Releases New Update To Falcon Orchestrator
CrowdStrike releases a free tool for data scientists for porting TensorFlow machine learning models to Rust pure safe code The tool, named tf2rust, enables data scientists to create leaner machine lea[…]
Reinventing Managed Detection and Response (MDR) with Identity Threat Protection
In a previous post, our team shared our Three Best Practices for Building a High-Performance Graph Database. That was written two years ago, when CrowdStrike Threat Graph® was processing billions of e[…]
Playing Hide-and-Seek with Ransomware, Part 2
In Part 1, we explained what Intel SGX enclaves are and how they benefit ransomware authors. In Part 2, we explore a hypothetical step-by-step implementation and outline the limitations of this method[…]
The Anatomy of Wiper Malware, Part 4: Less Common “Helper” Techniques
This is the fourth blog post in a four-part series. Read Part 1 | Part 2 | Part 3. In Part 3, CrowdStrike's Endpoint Protection Content Research Team covered the finer points of Input/Output Control ([…]
Playing Hide-and-Seek with Ransomware, Part 1
Intel SGX technology enables developers to isolate and encrypt a portion of code and data in the processor and memory in a trusted execution environment, known as an enclave. As enclaves are increasin[…]
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
This is the third blog post in a four-part series. Read Part 1 | Part 2 | Part 4. In Part 1 of this four-part blog series examining wiper malware, the CrowdStrike Endpoint Protection Content Research […]
The Anatomy of Wiper Malware, Part 2: Third-Party Drivers
This is the second blog post in a four-part series. Read Part 1 | Part 3 | Part 4. In Part 1 of this four-part blog series examining wiper malware, we introduced the topic of wipers, reviewed their re[…]
The Importance of Integrated Endpoint and Workload Protection for IT and Security Operations
CrowdStrike is always looking for innovative ways to improve detection content for our customers. We believe a multifaceted approach that combines customer input, standardized testing and internal res[…]
Decrypting NotPetya/Petya: Tools for Recovering Your MFT After an Attack
Modern Spark Pipelines are a powerful way to create machine learning pipelines Spark Pipelines use off-the-shelf data transformers to reduce boilerplate code and improve readability for specific use c[…]
Squashing SPIDERS: Threat Intelligence, Threat Hunting and Rapid Response Stops SQL Injection Campaign
A novel technique that reduces the overhead in extracting sensitive data from Chromium browser’s memory was recently found by researchers from CyberArk Labs Existing access to the targeted system is r[…]
Who Needs Another Alert? CrowdScore Hunts Attackers Hidden in the Data
CrowdStrike combines the power of the cloud with cutting-edge technologies such as TensorFlow and Rust to make model training hundreds of times faster than traditional approaches CrowdStrike continuou[…]
Likely eCrime Actor Uses Filenames Capitalizing on July 19, 2024, Falcon Sensor Content Issues in Operation Targeting LATAM-Based CrowdStrike Customers
According to CrowdStrike research, Mirai malware variants compiled for Intel-powered Linux systems double (101%) in Q1 2022 compared to Q1 2021 Mirai malware variants that targeted 32-bit x86 processo[…]
Addressing Uneven Partition Lag in Kafka
Ransomware (43% of analyzed threat data), backdoors (35%) and trojans (17%) were the most popular macOS malware categories spotted by CrowdStrike researchers in 2021 OSX.EvilQuest (ransomware), OSX.Fl[…]
From Data to Deployment: How Human Expertise Maximizes Detection Efficacy Across the Machine Learning Lifecycle
The CrowdStrike Security Cloud processes over a trillion events from endpoint sensors per day, but human professionals play a vital role in providing structure and ground truth for artificial intellig[…]
CrowdStrike Falcon® Prevents WannaCry Ransomware
CrowdStrike introduces accelerated memory scanning into the CrowdStrike Falcon® sensor for Windows to enhance existing visibility and detection of fileless threats The Falcon sensor integrates Intel® […]
Log4j2 Vulnerability "Log4Shell" (CVE-2021-44228)
The Go ecosystem has long relied on the use of third-party libraries for logging. Logrus, one of the first leveled, structured logging libraries, is now maintenance-only and its developers recommend m[…]
How to Establish Cross-Border Transfer Systems that Help Protect Privacy
Threat actors go to great lengths to hide the intentions of the malware they produce This blog demonstrates reliable methods for extracting information from popular Linux shells Extracted memory infor[…]
Holiday Cyber Warnings Will Echo Across 2021
In two recent blog posts from the CrowdStrike Software Development Engineers in Test (SDET) team, we explored how end-to-end validation testing and modular testing design could increase the speed and […]
How a Generalized Validation Testing Approach Improves Efficiency, Boosts Outcomes and Streamlines Debugging
In our last post, Testing Data Flows using Python and Remote Functions, we discussed how organizations can use remote functions in Python to create an end-to-end testing and validation strategy. Here […]
Unexpected Adventures in JSON Marshaling
Recently, one of our engineering teams encountered what seemed like a fairly straightforward issue: When they attempted to store UUID values to a database, it produced an error claiming that the value[…]
Modernize Your SOC with Falcon Fusion, CrowdStrike’s Integrated SOAR Framework
Virtually every aspect of a modern business depends on having a reliable, secure, real-time, high-quality data stream. So how do organizations design, build and maintain a data processing pipeline tha[…]
CrowdStrike’s New Methodology for Tracking eCrime
CrowdStrike research finds that 75% of the WebAssembly modules are malicious WebAssembly is an open standard that allows browsers to execute compiled programs Cryptocurrency miners boost efficiency by[…]
Improving Performance and Reliability of Internal Communication Among Microservices: The Story Behind the Falcon Sandbox Team’s gRPC Journey
The Hybrid Analysis community submits hundreds of thousands of samples for analysis to our systems every day. Those sample submissions mean our CrowdStrike Falcon® Sandbox™ software must do millions o[…]
The 5 Steps of Log Management: Essential Steps to Improve Observability, Enhance Security, and Monitor System and Application Performance
This blog was originally published Aug. 24, 2020 on humio.com. Humio is a CrowdStrike Company. Every organization has a different relationship with their logs. They might be used to monitor operations[…]
Nowhere to Hide: Detecting a Vishing Intrusion at a Retail Company
In a previous blog post, Building on the Shoulders of Giants: Combining TensorFlow and Rust, we laid out our approach of performing hyperparameter tuning and experimenting with known deep learning fra[…]
Re-searching Hyperparameters for Training Boosted Tree Models
Introduction While deep neural networks have state-of-the-art performance in many tasks, boosted tree models still often outperform deep neural networks on tabular data. This largely seems to be the c[…]
How CrowdStrike Achieves Lightning-Fast Machine Learning Model Training with TensorFlow and Rust
Many companies choose Apache Kafka for their asynchronous data pipelines because it is robust to traffic bursts, and surges are easily managed by scaling consumers. However, scaling is not helpful whe[…]
Shlayer Malvertising Campaigns Still Using Flash Update Disguise
Malvertising campaigns delivering Shlayer malware for macOS are still ongoing, despite the patching of a critical zero-day vulnerability (CVE-2021-30657) abused for months to compromise victims by dod[…]
Virgin Hyperloop Protects IP, Augments Team with Falcon Complete and Falcon OverWatch Managed Services
How our engineering team overcame scaling limitations and improved reliability in our high-throughput, asynchronous data processing pipeline Apache Kafka is a high-throughput, low-latency distributed […]
How to Stay Cyber Aware of Weaknesses and Vulnerabilities in Your Environment
One common challenge facing cloud engineers is how to develop and run tests that are distributed across multiple clusters, teams, environments or services. The use of new technologies, like containeri[…]
CrowdStrike Services Launches Log4j Quick Reference Guide (QRG)
The CrowdStrike Services team is excited to announce the release of AutoMacTC 1.2.0 to the community. AutoMacTC was originally released in March 2019 to help incident responders investigate intrusions[…]
A Principled Approach to Monitoring Streaming Data Infrastructure at Scale
ZIP files are a known vector for phishing campaigns, ransomware and other malicious action. Because the format isn’t generally executable (minus self-extracting ZIPs), it hasn’t gotten as much attenti[…]
Google Cloud + CrowdStrike: Transforming Security With Cloud-scale Multi-level Defense
Why “Alerts as Code” is a winning strategy for system maintenance and analysis While running multiple, independent clouds offers organizations many important benefits such as resiliency, flexibility a[…]
Security Advisory: MSRPC Printer Spooler Relay (CVE-2021-1678)
There is a quote from Sun Tzu, “The Art of War,” that remains true to this day, especially in cybersecurity: “Know thy enemy and know yourself; in a hundred battles, you will never be defeated.” At Cr[…]
CrowdStrike Falcon® Demonstrates Continued Excellence in Recent AV-Comparatives Evaluations
Vulnerabilities in the kernel mode component have serious implications on endpoint security. Operating systems and independent software vendors have been improving the security of code for years, but […]
Blocking Fileless Script-based Attacks Using CrowdStrike Falcon®'s Script Control Feature
Fileless and script-based attacks have been low-hanging fruit for years for adversaries, and their versatility has proved effective in sometimes bypassing traditional static-based antivirus solutions.[…]
Building on the Shoulders of Giants: Combining TensorFlow and Rust
Deep learning models have undoubtedly achieved astonishing performance in various fields of machine learning, such as natural language processing, voice recognition and computer vision. The impressive[…]
From the Board Room to the Dining Room: Making Cybersecurity Everyone’s Duty
In our earlier post, Making Threat Graph Extensible: Leveraging a DSL to Improve Data Ingestion (Part 1 of 2), we explored how and why CrowdStrike leverages HCL as a domain-specific language (DSL) in […]
The ICS/OT Landscape: How CrowdStrike Supports Through Partnerships With Rockwell and Others
CrowdStrike processes hundreds of billions of events on a daily basis, which are processed by our custom-built CrowdStrike Threat Graph® database, which leverages cutting-edge security analytics to co[…]
The Rise and Fall of WebNavigatorBrowser: Chromium-based Adware Browser
WebNavigatorBrowser is a web browser that meets the criteria of adware due to its injecting of ads into search results. The developer based it on Google’s free and open-source browser software project[…]
Shift Left Security: The Magic Elixir for Securing Cloud-Native Apps
This blog is intended for malware researchers working to develop signatures detecting malware, and engineers developing infrastructure supporting these signatures. At CrowdStrike, we often leverage ma[…]
Press #1 to Play: A Look Into eCrime Menu-style Toolkits
The year 2020 has seen an accelerated uptick in eCrime activity, as well as an obvious shift in eCrime adversaries engaging in big game hunting (BGH) operations that involve interactive deployment of […]
Oh No! My Data Science Is Getting Rust-y
We recently integrated new functionality into our CrowdStrike Falcon® sensor that was implemented in Rust. Rust is a relatively young language with several features focused on safety and security. Cal[…]
Defense Against the Lateral Arts: Detecting and Preventing Impacket’s Wmiexec
Any cyberattack can have a significant impact on business operations, but perhaps none are as sophisticated as kernel attacks. Kernel attacks exploit the zero-day operating system vulnerabilities in t[…]
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]
The answer to that question often depends on who you ask. By definition, process herpaderping is a hacking technique in which digital adversaries modify on-disk content after the image has been mapped[…]
The Critical Role of Cybersecurity in M&A: Part 2, Pre-Close
This is Part 2 of our three-part blog series on the critical importance of cybersecurity in the M&A process. Part 1 addressed due diligence, and in this blog, we cover the pre-close phase. Part 3 disc[…]
CharCNNs and PowerShell Scripts: Yet Another Fight Against Malware
Motivation Deep learning models have been considered “black boxes” in the past, due to the lack of interpretability they were presented with. However, in the last few years, there has been a great dea[…]
Sharding Kafka for Increased Scale and Reliability
In this blog, we present the results of some preliminary experiments with training highly “overfit” (interpolated) models to identify malicious activity based on behavioral data. These experiments wer[…]
CrowdStrike Uncovers New MacOS Browser Hijacking Campaign
After more than a decade, the sun has set on Python 2. Love it or hate it, Python 2.7.18 is the final official release — and to remain current with security patches and continue enjoying all of the ne[…]
Malware Analysis: GuLoader Dissection Reveals New Anti-Analysis Techniques and Code Injection Redundancy
GuLoader, a malware family that emerged in the wild late last year, is written in Visual Basic 6 (VB6), which is just a wrapper for a core payload that is implemented as a shellcode. It is distributed[…]
Three Best Practices for Building a High-Performance Graph Database
CrowdStrike® employees like to say that there is big data, huge data and our data. To date, we have collected, analyzed and stored more than 15 petabytes of data, generated through hundreds of billion[…]
Improving CrowdStrike Falcon® Detection Content with the Gap Analysis Team
How to effectively manage client-side partial failures, avoid data loss and process errors Apache Kafka is the gold standard for building real-time data pipelines and streaming apps. Scalable, fault-t[…]
Data Science & Machine Learning 101: Hunting the Unknown
Python is one of the most popular programming languages for data scientists — and for good reason. The Python Package Index (PyPI) hosts a vast array of impressive data science library packages, such […]
Malicious Spear-Phishing Campaign Targets Upcoming Winter Olympics in South Korea
Malware in the Scripting Landscape Scripting is a well-known means of spreading malware. Easy to write and often difficult for security solutions to detect, scripts make the perfect tool for attackers[…]
Situational Awareness: Cyber Threats Heightened by COVID-19 and How to Protect Against Them
As the new coronavirus, COVID-19, spreads around the planet, many people are filled with emotions like fear, uncertainty and hope — which are the top ingredients for an effective spam campaign. Cyber […]
Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques
Since at least 2018, criminal actors have been conducting big game hunting (BGH) campaigns, deploying ransomware on a targeted scale against large corporations or governments in pursuit of lucrative p[…]
Conversations with Charlotte AI: Scattered Spider
Machine learning for computer security has enjoyed a number of recent successes, but these tools aren’t perfect, and sometimes a novel family is able to evade file-based detection. This blog walks you[…]
Demystifying Data Protection in the Cloud: Runtime vs. At Rest
Working with text data (which we often refer to as “strings”) is common in cybersecurity applications. For example, suppose we have a set of command lines associated with malicious activity, and we wa[…]
DarkSide Pipeline Attack Shakes Up the Ransomware-as-a-Service Landscape
Red team penetration testers very often add tools to their arsenal that borrow techniques originating in malicious software. Shellter is such a tool. It was inspired by the EPO and polymorphic file-in[…]
Modernize Log Monitoring to Accelerate Digital Transformation
While adversaries continue to evolve their cyberattacks, CrowdStrike® scientists and engineers keep pushing the boundaries of what’s achievable in malware detection and prevention capabilities. Some o[…]
Memorizing Behavior: Experiments with Overfit Machine Learning Models
Introduction Machine learning is one of the many tools we use at CrowdStrike® to stop breaches. To do it well, we need enormous amounts of data — and also the tools to process all of this data. In a r[…]
I am Ironman: DEEP PANDA Uses Sakula Malware to Target Organizations in Multiple Sectors
My last blog post discussed the rationale for CrowdScore® and outlined its evidence-weighting approach, demonstrating a 10- to 25-fold improvement in the ability to accurately distinguish between mali[…]
INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions
Machine learning has demonstrated dramatic effectiveness in a wide range of fields, including computer security. However, machine learning for computer security has its weaknesses. This does not mean […]
Detecting Poisoned Python Packages: CTX and PHPass
At CrowdStrike®, machine learning is a major tool for detecting new malware families and keeping our customers safe. We utilize gradient boosted trees with thousands of features to classify whether a […]
Using Docker to Do Machine Learning at Scale
One key building block we use for scaling our machine learning models at CrowdStrike® is Docker containers. Docker containers let us construct application environments with all the dependencies, tools[…]
MITRE ATT&CK Evaluation Reveals CrowdStrike Falcon® as the Most Effective EDR Solution
Following the MITRE ATT&CK™ Evaluation of endpoint detection and response (EDR) solutions, I've heard a lot of confusion surrounding the various terms MITRE used, particularly the terms "detections,” […]
CrowdStrike Falcon Platform Achieves 100% Detection and Protection Against MacOS Malware with Zero False Positives in Latest MacOS AV-TEST
Over the past three months, CrowdStrike worked closely with VirusTotal (VT), and we are excited to announce the integration of our anti-malware technology as an additional scanner available to the VT […]