Detecting Fake CrowdStrike Domains using Stamus Security Platform

The recent global outage caused by an update to CrowdStrike Falcon, CrowdStrike's endpoint detection and response (EDR) system has resulted in the registration of numerous lookalike domains. We suspect that many of these were registered by bad actors with the intention of using them for scams and/or malicious phishing campaigns.

Many lookalike CrowdStrike domains have been registered in the past 3 days.  

Due to the suspicious nature of these newly registered domains, we recommend organizations monitor network activity to determine if any of their systems are communicating with these domains.

As these domains are created, Stamus Networks is adding these domains to the Newly Registered Domain (NRD) threat intelligence feed. 

Stamus Security Platform provides for detection and escalation of Newly Registered Domains. Those are available by default to any Stamus Customer. Access the online documentation to verify that you have this feed enabled. 

If you are not a current Stamus Security Platform user, the Newly Registered Domain (NRD) threat intelligence feeds are available here. All six NRD feeds are free and optimized for SELKS and Suricata 7 users. To learn more about NRD threat intelligence, read our blog post "Introducing Open NRD: Newly Registered Domain Threat Intel Feeds for Suricata". 

Please find below examples of the recently registered suspicious (mostly with malicious intent) CrowdStrike-related domains: 

crowdstrike24[. ]site

crowdstrike24[. ]online

thecrowdstrike[. ]com

thecrowdstrike[. ]com

thecrowdstrike[. ]com

crowdstrike[. ]blue

crowdstrike[. ]bot

crowdstrike[. ]cam

crowdstrike[. ]fail

crowdstrike[. ]help

crowdstrikeoutage[. ]info

crowdstrikedown[. ]site

crowdstrikereport[. ]com

crowdstrike-bluescreen[. ]com

crowdstrike-helpdesk[. ]com

crowdstrike-out[. ]com

crowdstrike0day[. ]com

crowdstrikebluescreen[. ]com

crowdstrikebsod[. ]com

crowdstrikebug[. ]com

crowdstrikeclaim[. ]com

crowdstrikeclaims[. ]com

crowdstrikeclassaction[. ]com

crowdstrikedoomsday[. ]com

crowdstrikedown[. ]com

crowdstrikefail[. ]com

crowdstrikefixer[. ]com

crowdstrikeglitch[. ]com

crowdstrikelawsuit[. ]com

crowdstrikeold[. ]com

crowdstrikeoops[. ]com

crowdstrikeoopsie[. ]com

crowdstrikeout[. ]com

crowdstrikeoutage[. ]com

crowdstrikerecovery[. ]com

crowdstrikesucks[. ]com

crowdstrikesuporte[. ]com

crowdstriketoken[. ]com

crowdstrikeupdate[. ]com

crowdstrikewindowsoutage[. ]com

crowdstrikezeroday[. ]com

fix-crowdstrike[. ]com

fuckcrowdstrike[. ]com

fuckingcrowdstrike[. ]com

iscrowdstrikedown[. ]com

isitcrowdstrike[. ]com

microsoftcrowdstrike[. ]com

suportecrowdstrike[. ]com

whatiscrowdstrike[. ]com

crowdstrike[. ]feedback

crowdstrikehelp[. ]info

crowdstrikeplatform[. ]info

crowdstrikesupport[. ]info

crowdstrikerescue[. ]org

crowdstrikeyou[. ]xyz

crowdstrike-fix[. ]zip

crowdstrikefix[. ]zip

DETECTION AND ESCALATION

Please follow the steps listed below in the Stamus Security Platform (SSP) “Hunt” interface.

Create a Filter

NOTE: Portions of this are not applicable to the Stamus Probe Management license tier.

To create a filter:

1. 1. In Hunt, click on the magnifying icon next to any 
   

Domain in  FQDN breakdown for HTTP, TLS and DNS ( Dashboard tab). 

1.  
2. 2. Example:

1.  
2. 
3.  
4.  
5. 3,  Click on the pencil/Edit icon on the resulting filter displayed as “Active Filters:”.
6.  
7. 4.  Type *Crowdstrike* or *Falcon*  (Not all will be related to Crowdstrike)
8.  
9. 5.  Select the checkbox “Wildcard view”
10.  
11. 6.  Click Save
12.  
13. 7.  The result should be identical as on the screenshot below:
14.  
15. 
16.  
17. 8.  Add another filter for Newly Registered Domains 
18.  
19. 9.  From the drop down menu in Hunt, select Filter-> Message and type in “NRD”, click Save.
20.  
21. 
22.  
23. 10.  The resulting filter combination should be as follows

1. 
   11.  You are now ready to review the results and events in the Dashboard,Host Insights and Alert views.

Save the Filter

NOTE: some items described here are not applicable to Stamus Probe Management license tier

The resulting filter can be saved by simply clicking on the “Save” link on the right-hand side of the “Active filter”.  Check “Shared” in the resulting dialog box if you want to make the filter available to all users. 

The newly created filter is now available in “Global Filter Sets” or “Private Filter Sets”

Automated Escalation and RestAPI Notification

NOTE: Portions are not applicable to Stamus ND or Stamus Probe Management license tiers.

If needed, an automated escalation to a Declaration of Compromise (DoC) and webhooks is also possible, including from historical data.

For example, if it happened 24hrs or 7 days ago it will still be detected and escalated based on that custom filter.

To do so:

1. 1.  After creating your filter as above 
2.  
3. 2.  From the right-hand side drop down menu, Policy Actions, select “Create DoC events”.

1. 3.  Choose the plus (+) next to the Threat: Name
2. 4.  Fill in the Threat Name, Description, and Additional information.
3. 5.  Enter an Offender Key (i.e. src_ip)
4. 6.  Enter an Asset Key (i.e. dest_ip)
5. 7.  Leave Asset Type “IP”
6. 8.  Set a Kill Chain phase (i.e. Exploit)
7. 9.  Select “Generate DoC events from historical data”. [This will make sure historical events are also checked]
8. 10. If desired and webhooks are setup also select “Generate webhooks events from historical data”

The screenshot below shows the DoC event creation form:

Automated Classification and Tagging

Auto Tagging all relevant events is also an option. This will allow for any logs (alerts or protocol transaction events related to the alerts) to have a “Relevant” tag inserted in the JSON logs:

To do so:

1. 1.  After creating your filter as above.
2.  
3. 2.  From the right-hand side drop down menu -  Policy Actions , Select “Tag”.
4.  
5. 3.  Add in an optional comment and select a ruleset.
6.  
7. 4.  Update the threat detection (upload button in the middle of the top bar on the Hunt page, on the left-hand side of History, Filter Sets )

Export Data - SIEM / Elasticsearch / Kibana 

All data generated by Stamus ND/NDR, such as alerts, protocol transactions, sightings events or HostID information, may be exported and shared with any SIEM or SOAR system.

Over 4000 fields are available -- from domain requests, http user agents used, hostnames, usernames logged in --  to encrypted analysis including JA3/JA4/JA3S fingerprinting, TLS certificates and more.

Any query of the Stamus Networks data (protocol transaction or alert logs) can be exported via a regular JSON log query or visualization export.

Example of Kibana query on alert events

To export CSV data from any info of the alerts you can open the SN-ALERT dashboard in Kibana, type in the filter:

 “alert.signature.keyword:*NRD* AND hostname_info.domain:*crowdstrike*”

then you can export a CSV of any visualization using “Inspect” (see example below):

Click on “Inspect” in any visualization to export a CSV

Export Data - Splunk

NOTE: portions of this section are not applicable to Stamus Probe Management.

Any query of the Stamus Networks data (protocol transaction or alert logs a like) in Splunk can be exported via a regular Splunk query or visualization export.

Example of a Splunk query on alert events

event_type=alert "alert.signature"="*NRD*" "hostname_info.domain"="*crowdstrike*"

Protocol transactions

Stamus Networks provides a free Splunk app https://splunkbase.splunk.com/app/5262  that can be used to do specific searches.

If there are any Splunk visualizations queries that have supporting information for the query that needs to be exported, it can be done so by the native Splunk export functionality.

Troubleshooting and Help

Please feel free to reach out to support@stamus-networks.com with any questions or feedback.

To stay updated with new blog posts from Stamus Networks, also make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.