The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  CrowdStrike  > Carbanak+FIN7 Configuration


Crowdstrike Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE Engenuity comments are included in italics.


Product Versions

Product Version:

  • Windows Falcon agent 5.40
  • Linux Falcon agent 5.39

Product SKU: “Falcon Endpoint Protection Premium”, which includes the following modules:

  • Falcon Prevent
  • Falcon X
  • Falcon Device Control
  • Falcon Firewall Management
  • Falcon Insight
  • Falcon Overwatch
  • Falcon Discover

Product Description

CrowdStrike® provides cloud-delivered endpoint and workload protection. Leveraging artificial intelligence (AI), the CrowdStrike Falcon® platform protects customers against cyberattacks on endpoints and workloads on or off the network by offering visibility and protection across the enterprise.

CrowdStrike Falcon delivers cloud-native endpoint security for a wide variety of platforms and workloads. It provides advanced detection and prevention functionality through its next-gen AV (Falcon Prevent), EDR (Falcon Insight) and Falcon Device Control modules, proactive human threat hunting (Falcon OverWatch), IT hygiene (Falcon Discover), vulnerability management (Falcon Spotlight), management of local OS firewall (Falcon Firewall Management) and integrated threat intelligence (Falcon X). 

Falcon’s cloud-native architecture significantly reduces deployment time and management costs, and also benefits from crowdsourcing of threat information from millions of machines it protects in more than 170 countries and the analysis of trillions of security-related events per week originating from these systems.  All capabilities are delivered through a single lightweight agent, reducing resource utilization and overhead. 

CrowdStrike Falcon's cloud-native architecture leverages both smart sensor technology and CrowdStrike’s proprietary Threat Graph, a purpose-built distributed graph database in the cloud, to enable rapid detection, prevention, and response to all types of threats. CrowdStrike Falcon uses behavioral Indicators of Attack (IOA) and machine learning technologies to detect and prevent malicious behavior at various stages of the attack lifecycle. 

The OverWatch managed threat hunting service consists of a global team of elite threat hunters whose job it is to be both the last line of defense to find a previously undetected intrusion, as well as to help customers understand and prioritize the threat information provided by Falcon and help them to stop a breach.  OverWatch feeds discovered intelligence back into the product in the form of IOAs that describe newly discovered attack techniques, ensuring that any future occurrences of the newly discovered tradecraft will be automatically and immediately detected. This human-computer interaction forms a virtuous cycle that continuously improves the product to stay ahead of the adversary. OverWatch was not specifically scored during this evaluation, and their activity is not reflected in the reported results.

The CrowdStrike Falcon management interface has adopted the MITRE ATT&CK framework to provide a uniform and widely adopted language for describing suspicious and malicious behaviors it has detected or prevented. 

Product Configuration

Product Configuration (Detection)

  • Prevention Policy
  • Sensor Capabilities:
    • ENABLED Unknown Detection-Related Executables
    • ENABLED Unknown Executables
    • ENABLED Notify End Users
  • Sensor Visibility: All Enabled
  • ML Sliders: All detection set to “Extra-Aggressive”
  • All Prevention disabled
  • Quarantine disabled

Product Configuration (Prevention)

  • Prevention Policy
  • Sensor Capabilities:
    • ENABLED Unknown Detection-Related Executables
    • ENABLED Unknown Executables
    • ENABLED End Users
  • Sensor Visibility: All Enabled
  • ML Sliders: All detection and prevention set to “Extra-Aggressive”
  • All Prevention enabled
  • Quarantine enabled