CrowdStrike Falcon Agent — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/crowdstrike-falcon-agent/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000Detection of Suspicious CrowdStrike Agent Registry Key Removalhttps://feed.craftedsignal.io/briefs/2024-01-crowdstrike-registry-removal/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-crowdstrike-registry-removal/This detection identifies delete events on CrowdStrike registry keys, which typically occur during agent uninstallation, so any unplanned or unexpected removal of these keys should be investigated for malicious activity such as defense evasion or exploits like CVE-2022-44721.This threat brief focuses on the detection of unauthorized or suspicious removal of CrowdStrike agent registry keys on Windows systems. CrowdStrike’s Falcon agent relies on specific registry keys for its operation and configuration. While removal of these keys is a normal part of the agent uninstallation process, unauthorized or unexpected removal can indicate malicious activity, such as attempts to disable or circumvent the agent. Specifically, threat actors might target these keys to disable the endpoint detection and response (EDR) capabilities of the CrowdStrike agent, potentially as part of a broader attack to evade detection. This is especially relevant in the context of known vulnerabilities like CVE-2022-44721, which could be exploited to facilitate unauthorized agent manipulation.

Attack Chain

  1. Initial Access: The attacker gains initial access to the system through various means, such as exploiting a vulnerability, phishing, or compromising credentials.
  2. Privilege Escalation: The attacker escalates privileges to obtain the necessary permissions to modify or delete registry keys, potentially using exploits or known vulnerabilities.
  3. Discovery: The attacker identifies the specific registry keys associated with the CrowdStrike Falcon agent.
  4. Defense Evasion: The attacker attempts to disable or uninstall the CrowdStrike agent by removing its registry keys. This action aims to prevent the agent from detecting or responding to malicious activities.
  5. Registry Key Deletion: The attacker executes a command or script to delete the identified CrowdStrike registry keys using tools like reg delete or PowerShell.
  6. Persistence (Optional): The attacker might establish persistence through other means if the agent removal is incomplete or unsuccessful.
  7. Lateral Movement & Further Exploitation: With the CrowdStrike agent disabled or impaired, the attacker can move laterally within the network and perform other malicious activities without being detected by the compromised endpoint’s primary security solution.

Impact

Successful removal of CrowdStrike agent registry keys can lead to a significant degradation of endpoint security. The compromised system becomes more vulnerable to malware infections, data breaches, and other security incidents. An attacker can perform malicious actions on the endpoint without being detected by the CrowdStrike Falcon agent, potentially impacting multiple systems within the organization. Organizations utilizing CrowdStrike for endpoint protection are particularly at risk.

Recommendation

  • Deploy the Sigma rule Detect CrowdStrike Registry Key Deletion via Sysmon to detect registry key deletion events related to CrowdStrike.
  • Investigate any alerts generated by the Sigma rule, focusing on processes and users involved in the registry key deletion, to determine if the activity is legitimate or malicious.
  • Review systems for potential exploitation of CVE-2022-44721 by examining process execution and registry modifications related to CrowdStrike.
  • Enable Sysmon Event ID 12 to ensure registry modification events are captured and available for analysis.
]]>mediumadvisorydefense-evasionregistry-modificationendpoint