product
- What you can do with CrowdStrike
- CrowdStrike Modules Falcon
- NGAV(Prevent/USB/FW)
- EDR(Falcon Insight)
- Threat Hunting (OverWatch)
- IT Asset Management (Discover)
- Vulnerability Management (Spotlight)
- Threat Intelligence (Intelligence/Sandbox)
- Identity Protection (ITD/ITP)
- Cloud Security (CNAPP)
- EASM(Surface)
- SSPM(Shield)
service
Application for evaluation machine
- FAQ
CrowdStrike
CrowdStrike
[CrowdStrike NGAV/EDR] How to use it
- Click here for the overview!
- What you will learn by reading this article
- A simple look at how CrowdStrike works
- A brief summary of what CrowdStrike detects and how to investigate the detection
How it works and how to set it up
CrowdStrike's endpoint security can be broadly divided into file-based detection and behavior-based detection.
As a result, it becomes possible to prevent malicious attacks, whether known or unknown, and whether or not malware is present.
File-based and behavior-based detection are configured using Prevention Policies.
Currently, there are about 70 setting items in the Windows prevention policy, and these items are regularly added as feature extensions to deal with new threats. Macnica has established recommended settings for all of these setting items.
We have prepared several recommended settings, such as detection only, coexistence with antivirus products other than CrowdStrike, and operation only with CrowdStrike.
If you are unsure of which settings to enable within the prevention policies, you can refer to Macnica 's recommended settings to smoothly set them up.
*Similar recommended settings are also defined for Mac and Linux.
Now, let's actually cause a detection and look at what can be seen on the CrowdStrike screen and how to deal with it.
I tried to move
Detection Occurrence
Prepare a sample that will trigger detection by CrowdStrike.
This time, we will try to run it using a test sample prepared by our company.
I ran it with admin privileges and immediately got a popup saying it was blocked.
Investigating detections
Let's check the details of the detection that occurred.
After the detection occurred, the test samples in the folder disappeared.
CrowdStrike has the ability to quarantine malicious files, and if you configure it, the files will be quarantined as shown above.
Quarantined files will be moved to the Windows\System32\drivers\CrowdStrike\Quarantine folder.
Next, let's take a look at CrowdStrike's management console.
When you check the detection
- What files are the detections targeting?
- What command was executed?
- What kind of detection is it?
- What action did you take?
You can easily check the detection details such as:
You can also check various other information, such as the file's hash value, information about the device on which the detection occurred, and user information.
Process Tree is a tool that can be used to dig even deeper into detection.
You can read what processes were launched before and after the detection occurred.
In this case, we can see that Explorer was launched and the test sample was executed.
For example, if an email process was running immediately before, it is possible that a file was downloaded via email,
Similarly, if a browser process is running, you can check whether a file is being downloaded via the browser.
Furthermore, quarantined files can also be viewed from the management console. Quarantined files can also be released from the management console, and quarantined files can be downloaded. If there are no problems, they can be released, and the files can be downloaded to an investigation device in order to investigate the sample.
Summary
- CrowdStrike's endpoint security is broadly divided into file-based detection and behavior-based detection.
- Since information such as the intrusion route, attack progress, command line details, and the trigger for executing the file is collected, post-incident investigation is easy.
Inquiry/Document request
In charge of Macnica CrowdStrike Co., Ltd.
- TEL:045-476-2010
- E-mail:crowdstrike_info@macnica.co.jp
Weekdays: 9:00-17:00