legitimate crowdstrike administrators may use rtr runscript commands for maintenance or troubleshooting. filter alerts for trusted user activity and approved scripts.

Techniques

T1059.001

Sample rules

Windows Crowdstrike RTR Script Execution

source: splunk
technicques:
- T1059.001

Description

Detects usage of Crowdstrike Real Time Response (RTR) to execute a “runscript” command. This can be used by malicious actors with access to the Crowdstrike Dashboard to execute commands on remote managed hosts.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

Processes.parent_process_name="dllhost.exe"
Processes.parent_process="*/Processid:{BD07DDB9-1C61-4DCE-9202-A2BA1757CDB2}*"
Processes.process_name="powershell.exe"
Processes.process="* -Version 5.1 -s -NoLogo -NoProfile -EncodedCommand*"

by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
   Processes.parent_process_name Processes.parent_process_exec Processes.action
   Processes.dest Processes.process_current_directory Processes.process_path
   Processes.process_integrity_level Processes.original_file_name Processes.parent_process
   Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
   Processes.process_guid Processes.process_id Processes.user Processes.process_name


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_crowdstrike_rtr_script_execution_filter`