Skip to content

CrowdStrike/detection-container

Repository files navigation

CrowdStrike Docker Detection Container

Container Repository on Quay

This container will create detections and preventions only on Linux hosts, container platforms (e.g. OpenShift), and containers themselves, which are protected by a CrowdStrike sensor.

Automated detections currently available include:

Name Description
Defense Evasion via Masquerading Creates a copy of /usr/bin/whoami to whoami.rtf and executes it, causing a contradicting file extension.
Defense Evasion via Rootkit This script will change the group owner of /etc/ld.so.preload to 0, indicative of a Jynx Rootkit.
Execution via Command-Line Interface Emulate malicious activity related to suspicious CLI commands. Runs the command sh -c whoami '[S];pwd;echo [E]'.
Exfiltration Over Alternative Protocol Attempts to exfiltrate data using DNS dig requests that contain system data in the hostname.
Command & Control via Remote Access Protocol * Attempts to connect to a remote IP address and will exit at fork. Falcon Prevent will kill the attempt.
Collection via Automated Collection Attempts to dump credentials from /etc/passwd to /tmp/passwords.
Credential Access via Credential Dumping Runs mimipenguin and tries to dump passwords from inside the container environment.
Webserver Suspicious Terminal Spawn Executes a command injection, which writes a file to local webserver then executes that script.
Webserver Unexpected Child of Web Service Executes command injection to dump MySQL Server tables of database running inside the detection container.
Webserver Bash Reverse Shell * Executes command injection that creates a reverse shell over the web server running in the detection container.
Webserver Trigger Metasploit Payload ** Simulates a malicious file upload, which executes a reverse TCP meterpreter to Kali. Please review the script for details on how to trigger this detection.
Reverse TCP Trojan (inert) * Inert Trojan, written by CrowdStrike, that will attempt to connect to 192.168.0.1 on TCP port 4444. Tnis will be detected and killed by CrowdStrike's on-sensor machine learning with the aggressive policy settings.

Note

(*) eligible for Prevention if configured in policy

(**) container starting using exposed port (-p 8080:80) required and a Kali attack host ready. Please note that a detection will only occur once you execute commands via meterpreter!

Downloading & Usage

Download via Quay.io

Container images hosted at https://quay.io/repository/crowdstrike/detection-container are automatically rebuilt as mult-architecture images with every merged pull request. Pull this container with the following Docker (or podman!) command:

Using Docker CLI:

docker pull quay.io/crowdstrike/detection-container

Using Podman CLI:

podman pull quay.io/crowdstrike/detection-container

If a specific architecture is desired to be used, add the --platform flag with the desired architecture(s): linux/arm64,linux/amd64,linux/s390x,linux/ppc64le

Build from Source

Clone this repository and build the container using docker build or podman build:

With Docker CLI:

docker build -t <your_repository>/detection-container .

Podman CLI:

podman build -t <your_repository>/detection-container .

Multi-architecture Build (requires Docker with BuildKit):

make docker-buildx

Generate Sample Detections

The detection-container operates in one of two modes, suitable for both Docker and Kubernetes environments:

Interactive Mode

This mode exposes a text-based user interface (TUI) for selecting pre-canned scripts to generate simple detections (e.g., "hit #1 for credential dumping!").

An example of running in interactive mode is shown below:

detection-container Text User Interface

For Docker, use the following command to run the detection container interactively:

sudo docker run --rm -it quay.io/crowdstrike/detection-container

For Kubernetes environments, refer to the vulnapp project for running the detection container interactively.

Non-interactive Mode

In this mode, detections are randomly generated with pauses between each to ensure uniqueness in the Falcon console. The pause duration ranges from 100 to 1800 seconds (approximately 1.5 to 30 minutes).

Output will be sent to the console (via stdout) regarding what detections are being generated. An example of running in non-interactive mode, plus output, is shown below:

non-interactive mode

For Docker, use the following command to run the detection container non-interactively:

sudo docker run --rm quay.io/crowdstrike/detection-container

For Kubernetes environments, use the following command to run the detection container non-interactively:

kubectl create -f https://raw.githubusercontent.com/CrowdStrike/detection-container/main/detections.example.yaml