Crowdstrike RTR Script Execution via PowerShell

This threat brief addresses the abuse of Crowdstrike Real Time Response (RTR) functionality to execute arbitrary commands on managed hosts. Attackers with access to a Crowdstrike Dashboard can use the “runscript” command to execute scripts, often PowerShell, on remote systems. This is particularly concerning because it allows attackers to leverage a trusted platform for malicious purposes, potentially bypassing traditional security controls. The encoded commands within PowerShell obfuscate the attacker’s actions, making detection more challenging. This technique has been observed in past campaigns where threat actors target SaaS applications, highlighting the potential for significant impact on organizations relying on these services.

Attack Chain

1. Attacker gains unauthorized access to the Crowdstrike Dashboard.
2. Attacker uses the RTR “runscript” command to initiate a PowerShell script execution on a target host.
3. The RTR process spawns dllhost.exe to execute the script.
4. dllhost.exe initiates powershell.exe with encoded command parameters (-EncodedCommand).
5. PowerShell executes the attacker-controlled, obfuscated script.
6. The script performs malicious activities such as reconnaissance, lateral movement, or data exfiltration.
7. Results of the script execution may be returned to the attacker via command and control channels.
8. Attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.

Impact

Successful exploitation can lead to complete compromise of targeted systems. An attacker with RTR access can use this technique to bypass normal endpoint security controls. This can result in data breaches, financial losses, and reputational damage. The impact is amplified by the trust relationship between Crowdstrike and its managed endpoints, making detection and prevention more difficult.

Recommendation

• Deploy the Sigma rule Detect Crowdstrike RTR PowerShell EncodedCommand Execution to identify suspicious PowerShell executions originating from Crowdstrike RTR.
• Monitor process creation events (Sysmon EventID 1) and filter for PowerShell processes with encoded commands (-EncodedCommand) where the parent process is dllhost.exe.
• Review and restrict Crowdstrike Dashboard access to only authorized personnel to prevent unauthorized use of RTR.
• Implement multi-factor authentication (MFA) for all Crowdstrike Dashboard accounts.
• Implement the Sigma rule Detect Crowdstrike RTR PowerShell EncodedCommand Execution - Alternate.