Hi there. So Breach Attack Simulation (BAS) tools are just that... simulations. Because you could be running these tools on production workloads (most customers do), they aren't actually going to do harm to the system like ransomware does. For this reason, they don't really behave like ransomware.
A few months ago, we spent a ton of time creating detections for one single BAS tool. Since then, the detections we created have only triggered... when someone runs that exact BAS tool. The behavioral logic required to catch a BAS tool doesn't look like an actual attack so those detections are pretty much useless unless you're pretending to run an attack with that one piece of software.
Now, is Falcon seeing all the stuff the BAS tool is doing? Yes. Is it logged? Yes. Your local SE can walk you through the telemetry if required.
This is a debate we continue to have internally. Do we take the content team and turn them loose on BAS tools knowing that the only benefit to customers could be... we detect a benign BAS tool? Or do we keep them focused on adversary tradecraft?
There are also another bunch of places you can get malware. Also see you as a security team can test no harm but evil things. I used to test workflows by just downloading mimikatz using Powershell(before CS has the test alert function).
MTA’s stuff relies heavily on infrastructure that is usually offline before the posts go up though, right? I mean hosting costs money and might be linked back to the operator. Or are these peeps now playing CTF against the whole internet? I feel like suggesting a better idea is like handing a child scissors, but i will say i agree brad and ppl share more raw intel they share elsewhere (of the 180 char variety) might lead somewhere.
In cases like that, I would reach to your support engineer, explain what you have done and go from there. Sometimes its an easy fix or at least nderstanding your detection policies well, as you might be having some disabled or not with a strong level of detection, this is just a guess since I dont know how it was set up.
Hi there. So Breach Attack Simulation (BAS) tools are just that... simulations. Because you could be running these tools on production workloads (most customers do), they aren't actually going to do harm to the system like ransomware does. For this reason, they don't really behave like ransomware. A few months ago, we spent a ton of time creating detections for one single BAS tool. Since then, the detections we created have only triggered... when someone runs that exact BAS tool. The behavioral logic required to catch a BAS tool doesn't look like an actual attack so those detections are pretty much useless unless you're pretending to run an attack with that one piece of software. Now, is Falcon seeing all the stuff the BAS tool is doing? Yes. Is it logged? Yes. Your local SE can walk you through the telemetry if required. This is a debate we continue to have internally. Do we take the content team and turn them loose on BAS tools knowing that the only benefit to customers could be... we detect a benign BAS tool? Or do we keep them focused on adversary tradecraft?
malware-traffic-analysis....net You can get real viruses to test out. Just test them way outside your environment.
Could even stick a Falcon sensor on the host, have it segmented off from everything else, and see if you detections
Yep that's the point.
There are also another bunch of places you can get malware. Also see you as a security team can test no harm but evil things. I used to test workflows by just downloading mimikatz using Powershell(before CS has the test alert function).
MTA’s stuff relies heavily on infrastructure that is usually offline before the posts go up though, right? I mean hosting costs money and might be linked back to the operator. Or are these peeps now playing CTF against the whole internet? I feel like suggesting a better idea is like handing a child scissors, but i will say i agree brad and ppl share more raw intel they share elsewhere (of the 180 char variety) might lead somewhere.
In cases like that, I would reach to your support engineer, explain what you have done and go from there. Sometimes its an easy fix or at least nderstanding your detection policies well, as you might be having some disabled or not with a strong level of detection, this is just a guess since I dont know how it was set up.
simulate same attack with some other tool andobserve
Seriously? Wow. Its a simulator. Were you thrown responsibility to admin Crowdstrike overnight?