{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/crowdstrike-dashboard/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Crowdstrike Dashboard"],"_cs_severities":["high"],"_cs_tags":["living-off-the-land","rtr","script-execution"],"_cs_type":"advisory","_cs_vendors":["Splunk","CrowdStrike"],"content_html":"\u003cp\u003eThis threat brief addresses the abuse of Crowdstrike Real Time Response (RTR) functionality to execute arbitrary commands on managed hosts. Attackers with access to a Crowdstrike Dashboard can use the \u0026ldquo;runscript\u0026rdquo; command to execute scripts, often PowerShell, on remote systems. This is particularly concerning because it allows attackers to leverage a trusted platform for malicious purposes, potentially bypassing traditional security controls. The encoded commands within PowerShell obfuscate the attacker\u0026rsquo;s actions, making detection more challenging. This technique has been observed in past campaigns where threat actors target SaaS applications, highlighting the potential for significant impact on organizations relying on these services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized access to the Crowdstrike Dashboard.\u003c/li\u003e\n\u003cli\u003eAttacker uses the RTR \u0026ldquo;runscript\u0026rdquo; command to initiate a PowerShell script execution on a target host.\u003c/li\u003e\n\u003cli\u003eThe RTR process spawns \u003ccode\u003edllhost.exe\u003c/code\u003e to execute the script.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edllhost.exe\u003c/code\u003e initiates \u003ccode\u003epowershell.exe\u003c/code\u003e with encoded command parameters (\u003ccode\u003e-EncodedCommand\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePowerShell executes the attacker-controlled, obfuscated script.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious activities such as reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003cli\u003eResults of the script execution may be returned to the attacker via command and control channels.\u003c/li\u003e\n\u003cli\u003eAttacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete compromise of targeted systems. An attacker with RTR access can use this technique to bypass normal endpoint security controls. This can result in data breaches, financial losses, and reputational damage. The impact is amplified by the trust relationship between Crowdstrike and its managed endpoints, making detection and prevention more difficult.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Crowdstrike RTR PowerShell EncodedCommand Execution\u003c/code\u003e to identify suspicious PowerShell executions originating from Crowdstrike RTR.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events (Sysmon EventID 1) and filter for PowerShell processes with encoded commands (\u003ccode\u003e-EncodedCommand\u003c/code\u003e) where the parent process is \u003ccode\u003edllhost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and restrict Crowdstrike Dashboard access to only authorized personnel to prevent unauthorized use of RTR.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Crowdstrike Dashboard accounts.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Crowdstrike RTR PowerShell EncodedCommand Execution - Alternate\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-crowdstrike-rtr-script-execution/","summary":"Detection of PowerShell execution initiated via Crowdstrike Real Time Response (RTR) 'runscript' command, potentially indicating malicious actors leveraging compromised Crowdstrike Dashboard access to execute commands on remote hosts using encoded commands.","title":"Crowdstrike RTR Script Execution via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-crowdstrike-rtr-script-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Crowdstrike Dashboard","version":"https://jsonfeed.org/version/1.1"}