This container will create detections and preventions only on Linux hosts, container platforms (e.g. OpenShift), and containers themselves, which are protected by a CrowdStrike sensor.
Automated detections currently available include:
| Name | Description |
|---|---|
| Defense Evasion via Masquerading | Creates a copy of /usr/bin/whoami to whoami.rtf and executes it, causing a contradicting file extension. |
| Defense Evasion via Rootkit | This script will change the group owner of /etc/ld.so.preload to 0, indicative of a Jynx Rootkit. |
| Execution via Command-Line Interface | Emulate malicious activity related to suspicious CLI commands. Runs the command sh -c whoami '[S];pwd;echo [E]'. |
| Exfiltration Over Alternative Protocol | Attempts to exfiltrate data using DNS dig requests that contain system data in the hostname. |
| Command & Control via Remote Access Protocol * | Attempts to connect to a remote IP address and will exit at fork. Falcon Prevent will kill the attempt. |
| Collection via Automated Collection | Attempts to dump credentials from /etc/passwd to /tmp/passwords. |
| Credential Access via Credential Dumping | Runs mimipenguin and tries to dump passwords from inside the container environment. |
| Webserver Suspicious Terminal Spawn | Executes a command injection, which writes a file to local webserver then executes that script. |
| Webserver Unexpected Child of Web Service | Executes command injection to dump MySQL Server tables of database running inside the detection container. |
| Webserver Bash Reverse Shell * | Executes command injection that creates a reverse shell over the web server running in the detection container. |
| Webserver Trigger Metasploit Payload ** | Simulates a malicious file upload, which executes a reverse TCP meterpreter to Kali. Please review the script for details on how to trigger this detection. |
| Reverse TCP Trojan (inert) * | Inert Trojan, written by CrowdStrike, that will attempt to connect to 192.168.0.1 on TCP port 4444. Tnis will be detected and killed by CrowdStrike's on-sensor machine learning with the aggressive policy settings. |
(*) eligible for Prevention if configured in policy (**) container starting using exposed port (-p 8080:80) required and a Kali attack host ready. Please note that a detection will only occur once you execute commands via meterpreter!
Container images hosted at https://quay.io/repository/crowdstrike/detection-container are automatically rebuilt as mult-architecture images with every merged pull request. Pull this container with the following Docker (or podman!) command:
Using Docker CLI:
$ docker pull quay.io/crowdstrike/detection-container
Using Podman CLI:
$ podman pull quay.io/crowdstrike/detection-container
If a specific architecture is desired to be used, add the --platform flag with the desired architecture(s): linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
Clone this repository and build the container using docker build or podman build:
With Docker CLI:
docker build -t <your_repository>/detection-container .
Podman CLI:
podman build -t <your_repository>/detection-container .
Multi-architecture Build (requires Docker with BuildKit):
make docker-buildx
The detection-container can used in one of two modes:
-
interactivemode, which will expose a TUI where you can select pre-canned scripts that will generate simple detections (e.g., "hit #1 for credential dumping!"). -
non-interactivemode, which will randomly create detections. This is how CrowdStrike runs the detection-container internally as it will constantly create sample detections for product demos.
The following command will utilize Docker's interactive mode, present you with a text-based interface, and remove the container from your system after running:
$ sudo docker run --rm -it quay.io/crowdstrike/detection-container
This will present a text user interface:
Enter the menu option of the detection you would like to create and hit enter. Depending on which detection was selected you may be guided through additional menus.
Non-interactive mode will randomly create detections. Between each detection the container will pause for a randomized amount of time ranging from 100 to 1800 seconds (roughly 1.5 - 30 minutes). This pause ensures events trigger unique detections in the Falcon console that are not grouped together.
The following command will run detection-container non-interactively:
$ sudo docker run --rm quay.io/crowdstrike/detection-container
Output will be sent to the console (via stdout) regarding what detections are being generated. An example of running in non-interactive mode, plus output, is shown below:
