{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/crowdstrike-falcon-agent/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2022-44721"}],"_cs_exploited":false,"_cs_products":["CrowdStrike Falcon Agent"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","registry-modification","endpoint"],"_cs_type":"advisory","_cs_vendors":["CrowdStrike"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of unauthorized or suspicious removal of CrowdStrike agent registry keys on Windows systems. CrowdStrike\u0026rsquo;s Falcon agent relies on specific registry keys for its operation and configuration. While removal of these keys is a normal part of the agent uninstallation process, unauthorized or unexpected removal can indicate malicious activity, such as attempts to disable or circumvent the agent. Specifically, threat actors might target these keys to disable the endpoint detection and response (EDR) capabilities of the CrowdStrike agent, potentially as part of a broader attack to evade detection. This is especially relevant in the context of known vulnerabilities like CVE-2022-44721, which could be exploited to facilitate unauthorized agent manipulation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through various means, such as exploiting a vulnerability, phishing, or compromising credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to obtain the necessary permissions to modify or delete registry keys, potentially using exploits or known vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker identifies the specific registry keys associated with the CrowdStrike Falcon agent.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker attempts to disable or uninstall the CrowdStrike agent by removing its registry keys. This action aims to prevent the agent from detecting or responding to malicious activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegistry Key Deletion:\u003c/strong\u003e The attacker executes a command or script to delete the identified CrowdStrike registry keys using tools like \u003ccode\u003ereg delete\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker might establish persistence through other means if the agent removal is incomplete or unsuccessful.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement \u0026amp; Further Exploitation:\u003c/strong\u003e With the CrowdStrike agent disabled or impaired, the attacker can move laterally within the network and perform other malicious activities without being detected by the compromised endpoint\u0026rsquo;s primary security solution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful removal of CrowdStrike agent registry keys can lead to a significant degradation of endpoint security. The compromised system becomes more vulnerable to malware infections, data breaches, and other security incidents. An attacker can perform malicious actions on the endpoint without being detected by the CrowdStrike Falcon agent, potentially impacting multiple systems within the organization. Organizations utilizing CrowdStrike for endpoint protection are particularly at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CrowdStrike Registry Key Deletion via Sysmon\u003c/code\u003e to detect registry key deletion events related to CrowdStrike.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes and users involved in the registry key deletion, to determine if the activity is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eReview systems for potential exploitation of CVE-2022-44721 by examining process execution and registry modifications related to CrowdStrike.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 12 to ensure registry modification events are captured and available for analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-crowdstrike-registry-removal/","summary":"This detection identifies delete events on CrowdStrike registry keys, which typically occur during agent uninstallation, so any unplanned or unexpected removal of these keys should be investigated for malicious activity such as defense evasion or exploits like CVE-2022-44721.","title":"Detection of Suspicious CrowdStrike Agent Registry Key Removal","url":"https://feed.craftedsignal.io/briefs/2024-01-crowdstrike-registry-removal/"}],"language":"en","title":"CraftedSignal Threat Feed — CrowdStrike Falcon Agent","version":"https://jsonfeed.org/version/1.1"}