Endpoint-Security — CraftedSignal Threat Feed

Potential Evasion via Windows Filtering Platform Blocking Security Software

hello@craftedsignal.io — Mon, 04 May 2026 14:17:05 +0000

The Windows Filtering Platform (WFP) provides APIs and system services for network filtering and packet processing. Attackers can abuse WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry. This can be achieved by tools like Shutter, EDRSilencer, and Nighthawk. This detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics. The rule specifically looks for blocked network events linked to processes associated with known security software, aiming to detect and alert on attempts to disable or modify security tools. This behavior is especially concerning as it allows attackers to operate with reduced visibility.

Attack Chain

Attacker gains initial access to the target system (e.g., via compromised credentials or exploiting a vulnerability).
The attacker escalates privileges to gain administrative rights, necessary to interact with the Windows Filtering Platform.
The attacker uses a tool or script (e.g., leveraging the netsh command or custom WFP API calls) to create a new WFP filter.
The WFP filter is configured to block network traffic originating from specific processes associated with endpoint security software (e.g., elastic-agent.exe, sysmon.exe).
The system begins blocking network communication from the targeted security software.
The attacker executes malicious commands or malware on the system, knowing that security telemetry will be suppressed.
The attacker moves laterally within the network, repeating the WFP filter deployment on other systems to further impair defenses.
The attacker achieves their final objective, such as data exfiltration or ransomware deployment, with reduced risk of detection.

Impact

A successful attack using WFP to impair defenses can lead to a significant reduction in the effectiveness of endpoint security solutions. This can result in delayed detection of malicious activities, increased dwell time for attackers, and ultimately, a higher likelihood of successful data breaches or ransomware attacks. With endpoint telemetry blocked, organizations may remain unaware of the ongoing compromise until significant damage has occurred. The number of affected systems can vary depending on the attacker’s scope and objectives.

Recommendation

Enable and review Windows Audit Filtering Platform Connection and Packet Drop events to populate the logs required for the provided EQL rule (logs-system.security*, logs-windows.forwarded*, winlogbeat-*).
Deploy the provided EQL rule to your SIEM to detect suspicious WFP modifications and tune for your environment.
Investigate any alerts generated by the EQL rule, focusing on identifying the specific processes being blocked and the source of the WFP rule modifications.
Regularly review and audit WFP rules to identify any unauthorized or suspicious entries.
Implement strict access controls and monitoring for systems authorized to modify WFP rules.

CrowdStrike Innovations Secure AI Agents and Govern Shadow AI

hello@craftedsignal.io — Sat, 28 Mar 2026 21:52:45 +0000

CrowdStrike is addressing the emerging threat landscape created by the rapid adoption of AI tools and agents within organizations. The increasing use of personal AI agents, particularly on developer machines, introduces new attack vectors such as “living off the AI land” (LOTAIL) exploits, indirect prompt injection, and agentic tool chain attacks. The rise of shadow AI, where employees adopt AI tools without oversight, exacerbates the issue. CrowdStrike’s new innovations extend AI Detection and Response (AIDR) capabilities to cover desktop AI applications (ChatGPT, Gemini, Claude, DeepSeek, Microsoft Copilot, O365 Copilot, GitHub Copilot, and Cursor) and expand platform capabilities to secure AI workforce adoption and development across endpoints, SaaS environments, and cloud environments. Falcon AIDR will leverage the Falcon sensor to enable deployment of the Falcon AIDR browser extension from the Falcon console and obtain desktop application telemetry via the sensor’s container network interface capability.

Attack Chain

Initial Access (via AI Agent): An attacker gains initial access by compromising an AI agent running on an endpoint, potentially through prompt injection or other vulnerabilities in the agent’s design.
Privilege Escalation: The attacker leverages the compromised AI agent’s existing system permissions, which may be elevated, to gain further access to the system. AI agents often have high privileges to execute terminal commands, browse the web, and interact with files.
Living off the AI Land (LOTAIL): The attacker uses the compromised AI agent to perform malicious actions that appear as legitimate user behavior, such as executing terminal commands, browsing websites, or interacting with files.
Lateral Movement: The attacker utilizes the AI agent’s network connectivity to discover and access other systems within the network, including LLM runtimes, MCP servers, and IDE extensions.
Data Exfiltration: The attacker uses the AI agent to exfiltrate sensitive data from the compromised systems, such as source code, credentials, or other confidential information.
Supply Chain Compromise: The attacker uses access to development environments via compromised AI tools to introduce malicious code into the software supply chain.
Policy Violation: The attacker manipulates the AI agent to violate content policies or access control rules, potentially leading to unauthorized access to sensitive data or systems.

Impact

Successful attacks targeting AI agents and shadow AI can lead to significant data breaches, intellectual property theft, and supply chain compromises. The lack of visibility and governance over AI deployments creates a growing attack surface that traditional security controls are ill-equipped to handle. Compromised AI agents can be used to perform a wide range of malicious activities, including data exfiltration, lateral movement, and the introduction of malicious code into the software supply chain. The impact can range from financial losses and reputational damage to the compromise of critical infrastructure and sensitive government systems.

Recommendation

Deploy the Sigma rule “AI Desktop Application Usage Detected” to identify and monitor the use of AI desktop applications such as ChatGPT, Gemini, and others within your environment. This rule uses process_creation logs to detect the execution of these applications (see rule below).
Enable and configure AI Discovery in CrowdStrike Falcon Exposure Management to gain visibility into AI-related components running across endpoints, including AI apps, LLM runtimes, MCP servers, and IDE extensions. This leverages Falcon for IT telemetry as described in the overview.
Implement Falcon AIDR policies to monitor and protect agents built in Microsoft Copilot Studio against prompt injection attacks, data leaks, and policy violations.
Review and update access control policies for AI agents to minimize the potential impact of a compromise, focusing on the principle of least privilege.

CrowdStrike Falcon Enhancements Secure AI Agents and Govern Shadow AI

hello@craftedsignal.io — Sat, 28 Mar 2026 09:23:42 +0000

CrowdStrike is addressing the emerging attack surface presented by the rapid adoption of AI tools, AI agents, and AI-powered software. Traditional security controls are insufficient to protect against novel threats like indirect prompt injection and agentic tool chain attacks, exacerbated by shadow AI. The CrowdStrike Falcon platform is being enhanced with AI Detection and Response (AIDR) capabilities to secure AI workforce adoption and development across endpoints, SaaS environments, and cloud environments. These enhancements include extending runtime security guardrails to agents built in Microsoft Copilot Studio and enhancing endpoint AI security capabilities. These capabilities aim to enable organizations to confidently and securely accelerate AI development and adoption.

Attack Chain

An attacker gains initial access to a system, potentially through compromised credentials or a software vulnerability, targeting a developer machine with deployed AI tools.
The attacker exploits a personal AI agent like OpenClaw running on the endpoint, leveraging its autonomy and system permissions for malicious purposes (Living off the AI Land - LOTAIL).
The compromised AI agent executes terminal commands, browses the web, and interacts with files, mimicking legitimate user behavior.
The attacker leverages prompt injection techniques to manipulate the AI agent’s behavior and access sensitive data.
The AI agent is used to access and exfiltrate sensitive data from the endpoint or connected network, bypassing traditional data loss prevention (DLP) controls.
The attacker uses the AI agent to move laterally within the network, accessing other systems and resources.
The attacker deploys malicious code or tools through the compromised AI agent, further compromising the environment.

Impact

The exploitation of AI agents and shadow AI can lead to significant data breaches, intellectual property theft, and reputational damage. Organizations face an increasing AI visibility and governance gap. Successful attacks can compromise sensitive data handled by AI applications and agents, leading to regulatory fines and legal liabilities. The lack of visibility into AI component deployments introduces supply chain risks and exploitable vulnerabilities.

Recommendation

Deploy CrowdStrike Falcon AIDR to gain visibility into employees’ use of AI applications, including full prompt content, and to detect prompt attacks, data leaks, and access control and content policy violations (CrowdStrike Falcon AIDR).
Utilize AI Discovery in CrowdStrike Falcon Exposure Management to automatically discover AI-related components running across endpoints in real time, including AI apps and agents, LLM runtimes, MCP servers, and IDE extensions (CrowdStrike Falcon Exposure Management).
Implement runtime security guardrails using Falcon AIDR to monitor Microsoft Copilot Studio agents for prompt injection attacks, data leaks, and policy violations in real time (Falcon AIDR).
Enable Sysmon process creation logging to activate the “Detect Suspicious AI Agent Processes” rule below.

CrowdStrike Falcon Enhancements for Securing AI Agents and Governing Shadow AI

hello@craftedsignal.io — Sat, 28 Mar 2026 08:12:22 +0000

CrowdStrike is addressing the emerging security challenges posed by the rapid adoption of AI tools and agents within organizations. The increasing use of AI, particularly on endpoints and within SaaS environments, creates new attack surfaces that traditional security measures are ill-equipped to handle. These surfaces include vulnerabilities related to prompt injection, agentic tool chain attacks, and data leaks. The rise of shadow AI, where employees adopt AI tools without proper oversight, further exacerbates these challenges. CrowdStrike’s new innovations extend the Falcon platform’s AI Detection and Response (AIDR) capabilities across endpoints, SaaS environments, and cloud environments, providing enhanced visibility, governance, and threat detection for AI adoption and development. The goal is to enable organizations to securely accelerate AI initiatives while mitigating the associated risks.

Attack Chain

An attacker gains initial access to an endpoint, potentially a developer machine, through social engineering or exploiting a software vulnerability.
The attacker leverages a compromised AI agent, such as OpenClaw, or an AI-powered application installed on the endpoint.
The compromised AI agent executes commands on the endpoint, leveraging the agent’s high system permissions, to enumerate sensitive files and network resources.
The attacker performs an indirect prompt injection attack against an AI application, modifying the application’s behavior to leak sensitive data.
The compromised agent initiates a connection to a command-and-control (C2) server to exfiltrate stolen data.
The attacker exploits a misconfigured Model Context Protocol (MCP) server within the development environment to access sensitive AI models and training data.
The attacker leverages a Copilot Studio agent with insufficient security guardrails to access and exfiltrate sensitive data from a SaaS application.
The attacker successfully exfiltrates sensitive data and potentially gains persistent access to the environment, impacting data confidentiality and integrity.

Impact

A successful attack targeting AI agents and shadow AI can lead to significant data breaches, intellectual property theft, and reputational damage. Organizations may experience compliance violations due to the leakage of sensitive data. The lack of visibility and governance over AI deployments can result in widespread vulnerabilities and increased attack surfaces, potentially affecting thousands of endpoints and cloud environments. The compromise of AI models and training data can lead to the manipulation of AI systems, causing them to make incorrect decisions or provide malicious outputs.

Recommendation

Deploy the Sigma rule Detect AI Application Usage to identify the use of desktop AI applications like ChatGPT, Gemini, and Copilot on endpoints to gain visibility into shadow AI (logsource: process_creation).
Utilize Falcon Exposure Management’s AI Discovery capabilities to identify AI-related components running on endpoints, including LLMs, MCP servers, and IDE extensions, to manage AI-related risks.
Monitor network connections from processes associated with AI tools for suspicious outbound traffic to detect potential data exfiltration attempts (logsource: network_connection).