Falcon Detection Matrix - FDM
MITRE-Based Falcon Detections Framework
CrowdStrike is aligned with MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) matrix to label our detections. ATT&CK is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risks against known adversary behavior, planning security improvements, and verifying defenses work as expected.
Contents:
- About objective, tactic, technique, and description
- About the Falcon Detection Methods matrices
- ATT&CK Matrix for Enterprise
- ATT&CK Matrix for Mobile
About objective, tactic, technique, and description
Objective layer: Groups related tactics, making them easier to learn and remember.
Gain access -- Initial Access, Credential Access, Privilege Escalation
Keep access -- Persistence, Defense Evasion
Explore -- Discovery, Lateral Movement
Contact controlled systems -- Command and Control
Follow through (basically, steal and break things) -- Collection, Exfiltration, Execution, Impact
Falcon detection description: Even more specific than technique, it states what triggered that detection, why it’s considered a problem, and suggests how to start investigating.
Together they provide this
comprehensive view:
- The adversary is trying to <objective> by <tactic> using <technique>.
- <Activity> happened.
- Possibly <intent>.
- Start investigating by <action>.
For example:
The adversary is trying to keep access by defense evasion using process hollowing.
A system process appears to have been hijacked by malware, likely through injection or hollowing.
The process will likely attempt to contact external infrastructure or download a malicious payload.
Investigate the process tree.
About the Falcon Detection Methods matrices
Falcon can detect and prevent activities that don’t map directly to the ATT&CK matrix, so we created the Falcon Detection Methods (FDM) matrix to provide useful information for them. The FDM tactics and techniques highlight behavior we consider suspicious and malicious, and worth investigating. It’s not an exact parallel to ATT&CK, but we keep that structure to match workflows with the ATT&CK-aligned detections.
Most closely aligned are the Malware, Exploit, and Post-Exploit tactics and techniques. They’re areas MITRE doesn’t yet include in the ATT&CK matrix.
Malware -- Broad category for all software intended to cause harm, and can be identified and prevented based on its hash or file.
Exploit -- Exploit Mitigation
Post-Exploit -- Malicious Tool Delivery, Malicious Tool Execution, Command-Line Interface
The others reflect how CrowdStrike Falcon detects activities
Machine Learning -- Detected by our next-gen antivirus/anti-malware solution, controlled by settings in Configuration > Prevention Policies.
Falcon OverWatch -- For OverWatch customers. Our OverWatch team identified activity they consider suspicious or malicious. These alerts are marked with a black falcon badge, and should always be investigated.
Falcon Intel -- For Falcon Intelligence customers. Indicates activity that matches known adversary behavior.
Custom Intelligence -- If you use our Query API to create a custom IOC, those detections have this tactic with an Indicator of Compromise technique.
FALCON DETECTIONS METHODS TACTICS AND TECHNIQUES
The FDM Matrix for Enterprise covers Windows, Mac, and Linux.
Malware | Exploit | Post-Exploit | Machine Learning | Custom Intelligence | Falcon Overwatch | Falcon Intel |
|---|---|---|---|---|---|---|
Known Hash | Exploit Mitigation | Malicious Tool Delivery | Cloud-based ML | Indicator of Compromise | Suspicious Activity | Attributed to Adversary |
Destructive Malware | Malicious Tool Execution | Sensor-based ML | Indicator of Attack | Malicious Activity | Intelligence Indicator - Hash | |
Malicious File | Command-Line Interface | Adware/PUP | Malicious File | Intelligence Indicator - Domain | ||
Adware | ||||||
PUP |
The FDM Matrix for Mobile covers iOS and Android.
Malware | Exploit | Post-Exploit | Machine Learning | Custom Intelligence | Falcon Overwatch | Falcon Intel | Insecure Security Posture |
|---|---|---|---|---|---|---|---|
Known Hash | Exploit Mitigation | Malicious Tool Delivery | Cloud-based ML | Indicator of Compromise | Suspicious Activity | Attributed to Adversary | Bad Device Settings |
Destructive Malware | Malicious Tool Execution | Sensor-based ML | Indicator of Attack | Malicious Activity | Intelligence Indicator - Hash | Bypass Monitoring | |
Malicious File | Command-Line Interface | Adware/PUP | Malicious File | Intelligence Indicator - Domain | |||
Adware | Intelligence Indicator - IP |
ATT&CK Matrix for Enterprise
The full ATT&CK Matrix includes techniques spanning Windows, Mac, and Linux platforms and can be used to navigate through the knowledge base.
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
Drive-by Compromise | AppleScript | .bash_profile and .bashrc | Access Token Manipulation | Access Token Manipulation | Account Manipulation | Account Discovery | AppleScript | Audio Capture | Automated Exfiltration | Commonly Used Port | Data Destruction |
Exploit Public-Facing Application | CMSTP | Accessibility Features | Accessibility Features | BITS Jobs | Bash History | Application Window Discovery | Application Deployment Software | Automated Collection | Data Compressed | Communication Through Removable Media | Data Encrypted for Impact |
Hardware Additions | Command-Line Interface | AppCert DLLs | AppCert DLLs | Binary Padding | Brute Force | Browser Bookmark Discovery | Distributed Component Object Model | Clipboard Data | Data Encrypted | Connection Proxy | Defacement |
Replication Through Removable Media | Compiled HTML Application | AppInit DLLs | AppInit DLLs | Bypass User Account Control | Credential Dumping | Domain Trust Discovery | Exploitation of Remote Services | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | Disk Content Wipe |
Spearphishing Attachment | Control Panel Items | Application Shimming | Application Shimming | CMSTP | Credentials in Files | File and Directory Discovery | Logon Scripts | Data from Information Repositories | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | Disk Structure Wipe |
Spearphishing Link | Dynamic Data Exchange | Authentication Package | Bypass User Account Control | Clear Command History | Credentials in Registry | Network Service Scanning | Pass the Hash | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | Endpoint Denial of Service |
Spearphishing via Service | Execution through API | BITS Jobs | DLL Search Order Hijacking | Code Signing | Exploitation for Credential Access | Network Share Discovery | Pass the Ticket | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | Firmware Corruption |
Supply Chain Compromise | Execution through Module Load | Bootkit | Dylib Hijacking | Compile After Delivery | Forced Authentication | Password Policy Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting | Inhibit System Recovery |
Trusted Relationship | Exploitation for Client Execution | Browser Extensions | Exploitation for Privilege Escalation | Component Firmware | Hooking | Peripheral Device Discovery | Remote File Copy | Email Collection | Scheduled Transfer | Domain Generation Algorithms | Network Denial of Service |
Valid Accounts | Graphical User Interface | Change Default File Association | Extra Window Memory Injection | Component Object Model Hijacking | Input Capture | Permission Groups Discovery | Remote Services | Input Capture | Fallback Channels | Resource Hijacking | |
InstallUtil | Component Firmware | File System Permissions Weakness | Control Panel Items | Input Prompt | Process Discovery | Replication Through Removable Media | Man in the Browser | Multi-Stage Channels | Runtime Data Manipulation | ||
LSASS Driver | Component Object Model Hijacking | Hooking | DC Shadow | Kerberoasting | Query Registry | SSH Hijacking | Screen Capture | Multi-hop Proxy | Service Stop | ||
Launchctl | Create Account | Image File Execution Options Injection | DLL Search Order Hijacking | Keychain | Remote System Discovery | Shared Webroot | Video Capture | Multiband Communication | Stored Data Manipulation | ||
Local Job Scheduling | DLL Search Order Hijacking | Launch Daemon | DLL Side-Loading | LLMNR/NBT-NS Poisoning | Security Software Discovery | Taint Shared Content | Multilayer Encryption | Transmitted Data Manipulation | |||
Mshta | Dylib Hijacking | New Service | Deobfuscate/Decode Files or Information | Network Sniffing | System Information Discovery | Third-party Software | Port Knocking | ||||
PowerShell | External Remote Services | Path Interception | Disabling Security Tools | Password Filter DLL | System Network Configuration Discovery | Windows Admin Shares | Remote Access Tools | ||||
Regsvcs/Regasm | File System Permissions Weakness | Plist Modification | Execution Guardrails | Private Keys | System Network Connections Discovery | Windows Remote Management | Remote File Copy | ||||
Regsvr32 | Hidden Files and Directories | Port Monitors | Exploitation for Defense Evasion | Replication Through Removable Media | System Owner/User Discovery | Standard Application Layer Protocol | |||||
Rundll32 | Hooking | Process Injection | Extra Window Memory Injection | Securityd Memory | System Service Discovery | Standard Cryptographic Protocol | |||||
Scheduled Task | Hypervisor | SID-History Injection | File Deletion | Two-Factor Authentication Interception | System Time Discovery | Standard Non-Application Layer Protocol | |||||
Scripting | Image File Execution Options Injection | Scheduled Task | File Permissions Modification | Virtualization/Sandbox Evasion | Uncommonly Used Port | ||||||
Service Execution | Kernel Modules and Extensions | Service Registry Permissions Weakness | File System Logical Offsets | Web Service | |||||||
Signed Binary Proxy Execution | LC_LOAD_DYLIB Addition | Setuid and Setgid | Gatekeeper Bypass | ||||||||
Signed Script Proxy Execution | LSASS Driver | Startup Items | Group Policy Modification | ||||||||
Source | Launch Agent | Sudo | HISTCONTROL | ||||||||
Space after Filename | Launch Daemon | Sudo Caching | Hidden Files and Directories | ||||||||
Third-party Software | Launchctl | Valid Accounts | Hidden Users | ||||||||
Trap | Local Job Scheduling | Web Shell | Hidden Window | ||||||||
Trusted Developer Utilities | Login Item | Image File Execution Options Injection | |||||||||
User Execution | Logon Scripts | Indicator Blocking | |||||||||
XSL Script Processing | Modify Existing Service | Indicator Removal from Tools | |||||||||
Windows Management Instrumentation | Netsh Helper DLL | Indicator Removal on Host | |||||||||
Windows Remote Management | New Service | Indirect Command Execution | |||||||||
Office Application Startup | Install Root Certificate | ||||||||||
Path Interception | InstallUtil | ||||||||||
Plist Modification | LC_MAIN Hijacking | ||||||||||
Port Knocking | Launchctl | ||||||||||
Port Monitors | Masquerading | ||||||||||
Rc.common | Modify Registry | ||||||||||
Re-opened Applications | Mshta | ||||||||||
Redundant Access | NTFS File Attributes | ||||||||||
Registry Run Keys / Start Folder | Network Share Connection Removal | ||||||||||
SIP and Trust Provider Hijacking | Obfuscated Files or Information | ||||||||||
Scheduled Task | Plist Modification | ||||||||||
Screensaver | Port Knocking | ||||||||||
Security Support Provider | Process Doppelgänging | ||||||||||
Service Registry Permissions Weakness | Process Hollowing | ||||||||||
Shortcut Modification | Process Injection | ||||||||||
Startup Items | Redundant Access | ||||||||||
System Firmware | Regsvcs/Regasm | ||||||||||
Systemd Service | Regsvr32 | ||||||||||
Time Providers | Rootkit | ||||||||||
Trap | Rundll32 | ||||||||||
Valid Accounts | SIP and Trust Provider Hijacking | ||||||||||
Web Shell | Scripting | ||||||||||
Windows Management Instrumentation Event Subscription | Signed Binary Proxy Execution | ||||||||||
Winlogon Helper DLL | Signed Script Proxy Execution | ||||||||||
Software Packing | |||||||||||
Space after Filename | |||||||||||
Template Injection | |||||||||||
Timestomp | |||||||||||
Trusted Developer Utilities | |||||||||||
Valid Accounts | |||||||||||
Virtualization/Sandbox Evasion | |||||||||||
Web Service |
ATT&CK Matrix For Mobile
Gain Access | Keep Access | Explore | Contact Controlled Systems | Follow Through | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Initial Access | Credential Access | Privilege Escalation | Persistence | Defense Evasion | Discovery | Lateral Movement | Command and Control | Collection | Exfiltration | Impact | Network Effects | Remote Service Effects |
Deliver Malicious App via Authorized App Store | Abuse Accessibility Features | Exploit OS Vulnerability | Abuse Device Administrator Access to Prevent Removal | Application Discovery | Application Discovery | Attack PC via USB Connection | Alternate Network Mediums | Abuse Accessibility Features | Alternate Network Mediums | Encrypt Files | Downgrade to Insecure Protocols | Obtain Device Cloud Backups |
Deliver Malicious App via Other Means | Access Sensitive Data in Device Logs | Exploit TEE Vulnerability | App Auto-Start at Device Boot | Disguise Root/Jailbreak Indicators | Device Type Discovery | Exploit Enterprise Resources | Commonly Used Port | Access Calendar Entries | Commonly Used Port | Generate Fraudulent Advertising Revenue | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization |
Drive-by Compromise | Access Sensitive Data or Credentials in Files | Modify cached executable code | Download New Code at Runtime | File and Directory Discovery | Standard Application Layer Protocol | Access Call Log | Standard Application Layer Protocol | Lock User Out of Device | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | ||
Exploit via Charging Station or PC | Android Intent Hijacking | Modify OS Kernel or Boot Partition | Install Insecure or Malicious Configuration | Network Service Scanning | Web Service | Access Contact List | Manipulate App Store Rankings or Ratings | Exploit SS7 to Track Device Location | ||||
Exploit via Radio Interfaces | Capture Clipboard Data | Modify System Partition | Modify OS Kernel or Boot Partition | Process Discovery | Access Sensitive Data in Device Logs | Premium SMS Toll Fraud | Jamming or Denial of Service | |||||
Install Insecure or Malicious Configuration | Capture SMS Messages | Modify Trusted Execution Environment | Modify System Partition | System Information Discovery | Access Sensitive Data or Credentials in Files | Wipe Device Data | Manipulate Device Communication | |||||
Lockscreen Bypass | Exploit TEE Vulnerability | Modify Trusted Execution Environment | System Network Configuration Discovery | Capture Clipboard Data | Rogue Cellular Base Station |
Comments
Post a Comment