Falcon Detection Matrix - FDM

MITRE-Based Falcon Detections Framework

CrowdStrike is aligned with MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) matrix to label our detections. ATT&CK is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risks against known adversary behavior, planning security improvements, and verifying defenses work as expected.

Contents:

  • About objective, tactic, technique, and description
  • About the Falcon Detection Methods matrices
  • ATT&CK Matrix for Enterprise
  • ATT&CK Matrix for Mobile

About objective, tactic, technique, and description

Falcon label each detection with a tactic and technique combination, characterizing and describing what the adversary is trying to do and what they’re using to do it. it also include additions that build on ATT&CK.

Objective layer: Groups related tactics, making them easier to learn and remember.

    • Gain access -- Initial Access, Credential Access, Privilege Escalation

    • Keep access -- Persistence, Defense Evasion

    • Explore -- Discovery, Lateral Movement

    • Contact controlled systems -- Command and Control

    • Follow through (basically, steal and break things) -- Collection, Exfiltration, Execution, Impact

Falcon detection description: Even more specific than technique, it states what triggered that detection, why it’s considered a problem, and suggests how to start investigating.

   Together they provide this comprehensive view:

  • The adversary is trying to <objective> by <tactic> using <technique>.
  • <Activity> happened.
  • Possibly <intent>.
  • Start investigating by <action>.

For example:

  • The adversary is trying to keep access by defense evasion using process hollowing.

  • A system process appears to have been hijacked by malware, likely through injection or hollowing.

  • The process will likely attempt to contact external infrastructure or download a malicious payload.

  • Investigate the process tree.

About the Falcon Detection Methods matrices

Falcon can detect and prevent activities that don’t map directly to the ATT&CK matrix, so we created the Falcon Detection Methods (FDM) matrix to provide useful information for them. The FDM tactics and techniques highlight behavior we consider suspicious and malicious, and worth investigating. It’s not an exact parallel to ATT&CK, but we keep that structure to match workflows with the ATT&CK-aligned detections.

Most closely aligned are the Malware, Exploit, and Post-Exploit tactics and techniques. They’re areas MITRE doesn’t yet include in the ATT&CK matrix.

  • Malware -- Broad category for all software intended to cause harm, and can be identified and prevented based on its hash or file.

  • Exploit -- Exploit Mitigation

  • Post-Exploit -- Malicious Tool Delivery, Malicious Tool Execution, Command-Line Interface

The others reflect how CrowdStrike Falcon detects activities

  • Machine Learning -- Detected by our next-gen antivirus/anti-malware solution, controlled by settings in Configuration > Prevention Policies.

  • Falcon OverWatch -- For OverWatch customers. Our OverWatch team identified activity they consider suspicious or malicious. These alerts are marked with a black falcon badge, and should always be investigated.

  • Falcon Intel -- For Falcon Intelligence customers. Indicates activity that matches known adversary behavior.

  • Custom Intelligence -- If you use our Query API to create a custom IOC, those detections have this tactic with an Indicator of Compromise technique.

FALCON DETECTIONS METHODS TACTICS AND TECHNIQUES

The FDM Matrix for Enterprise covers Windows, Mac, and Linux.

Malware

Exploit

Post-Exploit

Machine Learning

Custom Intelligence

Falcon Overwatch

Falcon Intel

Known Hash

Exploit Mitigation

Malicious Tool Delivery

Cloud-based ML

Indicator of Compromise

Suspicious Activity

Attributed to Adversary

Destructive Malware

Malicious Tool Execution

Sensor-based ML

Indicator of Attack

Malicious Activity

Intelligence Indicator - Hash

Malicious File

Command-Line Interface

Adware/PUP

Malicious File

Intelligence Indicator - Domain

Adware

PUP


The FDM Matrix for Mobile covers iOS and Android.

Malware

Exploit

Post-Exploit

Machine Learning

Custom Intelligence

Falcon Overwatch

Falcon Intel

Insecure Security Posture

Known Hash

Exploit Mitigation

Malicious Tool Delivery

Cloud-based ML

Indicator of Compromise

Suspicious Activity

Attributed to Adversary

Bad Device Settings

Destructive Malware

Malicious Tool Execution

Sensor-based ML

Indicator of Attack

Malicious Activity

Intelligence Indicator - Hash

Bypass Monitoring

Malicious File

Command-Line Interface

Adware/PUP

Malicious File

Intelligence Indicator - Domain

Adware

Intelligence Indicator - IP

ATT&CK Matrix for Enterprise

The full ATT&CK Matrix includes techniques spanning Windows, Mac, and Linux platforms and can be used to navigate through the knowledge base.

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Drive-by Compromise

AppleScript

.bash_profile and .bashrc

Access Token Manipulation

Access Token Manipulation

Account Manipulation

Account Discovery

AppleScript

Audio Capture

Automated Exfiltration

Commonly Used Port

Data Destruction

Exploit Public-Facing Application

CMSTP

Accessibility Features

Accessibility Features

BITS Jobs

Bash History

Application Window Discovery

Application Deployment Software

Automated Collection

Data Compressed

Communication Through Removable Media

Data Encrypted for Impact

Hardware Additions

Command-Line Interface

AppCert DLLs

AppCert DLLs

Binary Padding

Brute Force

Browser Bookmark Discovery

Distributed Component Object Model

Clipboard Data

Data Encrypted

Connection Proxy

Defacement

Replication Through Removable Media

Compiled HTML Application

AppInit DLLs

AppInit DLLs

Bypass User Account Control

Credential Dumping

Domain Trust Discovery

Exploitation of Remote Services

Data Staged

Data Transfer Size Limits

Custom Command and Control Protocol

Disk Content Wipe

Spearphishing Attachment

Control Panel Items

Application Shimming

Application Shimming

CMSTP

Credentials in Files

File and Directory Discovery

Logon Scripts

Data from Information Repositories

Exfiltration Over Alternative Protocol

Custom Cryptographic Protocol

Disk Structure Wipe

Spearphishing Link

Dynamic Data Exchange

Authentication Package

Bypass User Account Control

Clear Command History

Credentials in Registry

Network Service Scanning

Pass the Hash

Data from Local System

Exfiltration Over Command and Control Channel

Data Encoding

Endpoint Denial of Service

Spearphishing via Service

Execution through API

BITS Jobs

DLL Search Order Hijacking

Code Signing

Exploitation for Credential Access

Network Share Discovery

Pass the Ticket

Data from Network Shared Drive

Exfiltration Over Other Network Medium

Data Obfuscation

Firmware Corruption

Supply Chain Compromise

Execution through Module Load

Bootkit

Dylib Hijacking

Compile After Delivery

Forced Authentication

Password Policy Discovery

Remote Desktop Protocol

Data from Removable Media

Exfiltration Over Physical Medium

Domain Fronting

Inhibit System Recovery

Trusted Relationship

Exploitation for Client Execution

Browser Extensions

Exploitation for Privilege Escalation

Component Firmware

Hooking

Peripheral Device Discovery

Remote File Copy

Email Collection

Scheduled Transfer

Domain Generation Algorithms

Network Denial of Service

Valid Accounts

Graphical User Interface

Change Default File Association

Extra Window Memory Injection

Component Object Model Hijacking

Input Capture

Permission Groups Discovery

Remote Services

Input Capture

Fallback Channels

Resource Hijacking

InstallUtil

Component Firmware

File System Permissions Weakness

Control Panel Items

Input Prompt

Process Discovery

Replication Through Removable Media

Man in the Browser

Multi-Stage Channels

Runtime Data Manipulation

LSASS Driver

Component Object Model Hijacking

Hooking

DC Shadow

Kerberoasting

Query Registry

SSH Hijacking

Screen Capture

Multi-hop Proxy

Service Stop

Launchctl

Create Account

Image File Execution Options Injection

DLL Search Order Hijacking

Keychain

Remote System Discovery

Shared Webroot

Video Capture

Multiband Communication

Stored Data Manipulation

Local Job Scheduling

DLL Search Order Hijacking

Launch Daemon

DLL Side-Loading

LLMNR/NBT-NS Poisoning

Security Software Discovery

Taint Shared Content

Multilayer Encryption

Transmitted Data Manipulation

Mshta

Dylib Hijacking

New Service

Deobfuscate/Decode Files or Information

Network Sniffing

System Information Discovery

Third-party Software

Port Knocking

PowerShell

External Remote Services

Path Interception

Disabling Security Tools

Password Filter DLL

System Network Configuration Discovery

Windows Admin Shares

Remote Access Tools

Regsvcs/Regasm

File System Permissions Weakness

Plist Modification

Execution Guardrails

Private Keys

System Network Connections Discovery

Windows Remote Management

Remote File Copy

Regsvr32

Hidden Files and Directories

Port Monitors

Exploitation for Defense Evasion

Replication Through Removable Media

System Owner/User Discovery

Standard Application Layer Protocol

Rundll32

Hooking

Process Injection

Extra Window Memory Injection

Securityd Memory

System Service Discovery

Standard Cryptographic Protocol

Scheduled Task

Hypervisor

SID-History Injection

File Deletion

Two-Factor Authentication Interception

System Time Discovery

Standard Non-Application Layer Protocol

Scripting

Image File Execution Options Injection

Scheduled Task

File Permissions Modification

Virtualization/Sandbox Evasion

Uncommonly Used Port

Service Execution

Kernel Modules and Extensions

Service Registry Permissions Weakness

File System Logical Offsets

Web Service

Signed Binary Proxy Execution

LC_LOAD_DYLIB Addition

Setuid and Setgid

Gatekeeper Bypass

Signed Script Proxy Execution

LSASS Driver

Startup Items

Group Policy Modification

Source

Launch Agent

Sudo

HISTCONTROL

Space after Filename

Launch Daemon

Sudo Caching

Hidden Files and Directories

Third-party Software

Launchctl

Valid Accounts

Hidden Users

Trap

Local Job Scheduling

Web Shell

Hidden Window

Trusted Developer Utilities

Login Item

Image File Execution Options Injection

User Execution

Logon Scripts

Indicator Blocking

XSL Script Processing

Modify Existing Service

Indicator Removal from Tools

Windows Management Instrumentation

Netsh Helper DLL

Indicator Removal on Host

Windows Remote Management

New Service

Indirect Command Execution

Office Application Startup

Install Root Certificate

Path Interception

InstallUtil

Plist Modification

LC_MAIN Hijacking

Port Knocking

Launchctl

Port Monitors

Masquerading

Rc.common

Modify Registry

Re-opened Applications

Mshta

Redundant Access

NTFS File Attributes

Registry Run Keys / Start Folder

Network Share Connection Removal

SIP and Trust Provider Hijacking

Obfuscated Files or Information

Scheduled Task

Plist Modification

Screensaver

Port Knocking

Security Support Provider

Process Doppelgänging

Service Registry Permissions Weakness

Process Hollowing

Shortcut Modification

Process Injection

Startup Items

Redundant Access

System Firmware

Regsvcs/Regasm

Systemd Service

Regsvr32

Time Providers

Rootkit

Trap

Rundll32

Valid Accounts

SIP and Trust Provider Hijacking

Web Shell

Scripting

Windows Management Instrumentation Event Subscription

Signed Binary Proxy Execution

Winlogon Helper DLL

Signed Script Proxy Execution

Software Packing

Space after Filename

Template Injection

Timestomp

Trusted Developer Utilities

Valid Accounts

Virtualization/Sandbox Evasion

Web Service



ATT&CK Matrix For Mobile


Gain Access

Keep Access

Explore

Contact Controlled Systems

Follow Through

Initial Access

Credential Access

Privilege Escalation

Persistence

Defense Evasion

Discovery

Lateral Movement

Command and Control

Collection

Exfiltration

Impact

Network Effects

Remote Service Effects

Deliver Malicious App via Authorized App Store

Abuse Accessibility Features

Exploit OS Vulnerability

Abuse Device Administrator Access to Prevent Removal

Application Discovery

Application Discovery

Attack PC via USB Connection

Alternate Network Mediums

Abuse Accessibility Features

Alternate Network Mediums

Encrypt Files

Downgrade to Insecure Protocols

Obtain Device Cloud Backups

Deliver Malicious App via Other Means

Access Sensitive Data in Device Logs

Exploit TEE Vulnerability

App Auto-Start at Device Boot

Disguise Root/Jailbreak Indicators

Device Type Discovery

Exploit Enterprise Resources

Commonly Used Port

Access Calendar Entries

Commonly Used Port

Generate Fraudulent Advertising Revenue

Eavesdrop on Insecure Network Communication

Remotely Track Device Without Authorization

Drive-by Compromise

Access Sensitive Data or Credentials in Files

Modify cached executable code

Download New Code at Runtime

File and Directory Discovery

Standard Application Layer Protocol

Access Call Log

Standard Application Layer Protocol

Lock User Out of Device

Exploit SS7 to Redirect Phone Calls/SMS

Remotely Wipe Data Without Authorization

Exploit via Charging Station or PC

Android Intent Hijacking

Modify OS Kernel or Boot Partition

Install Insecure or Malicious Configuration

Network Service Scanning

Web Service

Access Contact List

Manipulate App Store Rankings or Ratings

Exploit SS7 to Track Device Location

Exploit via Radio Interfaces

Capture Clipboard Data

Modify System Partition

Modify OS Kernel or Boot Partition

Process Discovery

Access Sensitive Data in Device Logs

Premium SMS Toll Fraud

Jamming or Denial of Service

Install Insecure or Malicious Configuration

Capture SMS Messages

Modify Trusted Execution Environment

Modify System Partition

System Information Discovery

Access Sensitive Data or Credentials in Files

Wipe Device Data

Manipulate Device Communication

Lockscreen Bypass

Exploit TEE Vulnerability

Modify Trusted Execution Environment

System Network Configuration Discovery

Capture Clipboard Data

Rogue Cellular Base Station

ATT&CK and ATT&CK Matrix are trademarks of The MITRE Corporation.

Comments

Popular posts from this blog

RTR using Falcon Crowdstrike

Top Commands Mostly Used By System Administrator.

SECURITY OPERATION CENTRE

Damn Vulnerable Web Application - Part 1

Cyber Threat Intelligence

Collective Intelligence Framework v3 - Part 1

Top 20 Subdomains Search Engines

Collective Intelligence Framework v3 - Part 2

Security Architecture for Startup

TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike