After gaining access, PUNK SPIDER used a service account to log into another network host via Remote Desktop Protocol (RDP), triggering the CrowdStrike Falcon® sensor to alert CrowdStrike to the intrusion. The adversary attempted to dump credentials, deploy proxy-tunneling and remote access tools, and elevate privileges by adding compromised and adversary-created accounts to administrator groups. However, the Falcon sensor blocked these escalation attempts, while CrowdStrike Falcon® Complete Next-Gen MDR contained compromised accounts and devices to prevent further impact.Cross-domain attacks exemplify adversaries’ drive for speed and stealth. In these attacks, they pivot across multiple domains — including endpoint, identity and cloud systems — to maximize their reach and impact. Their goal is to exploit weaknesses in organizations’ rapidly growing and complex environments. By targeting security gaps between these connected domains, adversaries can avoid traditional detection methods and hide amid legitimate processes for longer periods of time.
Read the full case study in the CrowdStrike 2024 Threat Hunting Report.
Adversaries Reach New Levels of Speed and Sophistication
Cybersecurity platforms built with AI and machine learning can identify previously unseen patterns and detect anomalies that traditional defenses might miss. These platforms evolve based on the latest threat intelligence, as newly detected patterns are fed into the system to enhance future threat detection and prevention. This cycle of learning and adaptation empowers defenders to quickly respond to new attack tactics. Unified security platforms with these capabilities are the foundation of a resilient cyber defense strategy that can detect and mitigate cross-domain attacks.
Modern adversaries have become more deliberate and resourceful, increasingly relying on malware-free techniques that bypass traditional detection methods. The CrowdStrike 2024 Global Threat Report states 75% of intrusions begin without malware, enabling attackers to operate under the radar and seamlessly navigate between the endpoint and cloud domains.
PUNK SPIDER also attempted to use reconnaissance tools like SharpShares and Invoke-ShareFinder.ps1, along with their proprietary Akira ransomware, but each attempt was thwarted by the Falcon sensor. In a final effort, the adversary tried to use WinRAR and FileZilla to archive and exfiltrate data, but CrowdStrike’s tactical custom indicators of attack prevented these actions.
As adversaries refine their tactics, organizations need advanced technologies to keep up. Platform capabilities such as AI-driven analytics, machine learning and real-time threat hunting adapt to adversaries’ evolving strategies.
PUNK SPIDER: Hunting an eCrime Adversary
By integrating insights across domains, defenders gain the real-time visibility and speed required to detect, investigate and stop threats before they cause widespread damage. This comprehensive approach enhances detection accuracy and shortens response times, as threat hunters no longer need to toggle between disparate tools or wait for data to be manually compiled.
As cross-domain attacks become faster and more sophisticated, the Falcon platform’s real-time threat hunting and advanced analytics offer the speed and integration needed to stay ahead of them. By adopting the Falcon platform, businesses can outpace attackers, safeguard critical assets and build a proactive, resilient defense against evolving cyber threats.
The CrowdStrike Falcon cybersecurity platform transforms security operations by unifying endpoint security, identity protection and cloud security, and leveraging world-class threat intelligence and 24/7 managed threat hunting. With its adaptive, AI-driven capabilities, the Falcon platform consolidates multiple layers of defense into one streamlined solution, reducing the operational burden of managing separate tools while enhancing detection speed and accuracy. This unified approach allows security teams to respond swiftly and decisively, ensures comprehensive coverage and lowers the costs of fragmented security.
Identities play a critical role in this shift. With stolen or compromised credentials, adversaries can gain access, escalate privileges and move laterally across systems, often leveraging legitimate tools like remote monitoring and management (RMM) software to blend into normal operations. These tactics make cross-domain attacks particularly difficult to detect and address.
Fragmented security tools and siloed teams make it easier for adversaries to conduct cross-domain attacks. Disconnected systems and manual processes create delays in detection and response, giving threat actors an edge. Organizations must adopt a unified platform approach that consolidates data from endpoints, identity and cloud into a single view.
Unified Cybersecurity: The Solution to Cross-Domain Attacks
How might a cross-domain attack unfold in the wild? Let’s take a closer look.
Modern adversaries are quiet. No longer reliant on clunky malware to breach their targets, they have adopted more subtle and effective methods to infiltrate businesses, move laterally and access critical applications, steal data, impersonate users and more. They are also gaining speed: The average eCrime breakout time, now just 62 minutes, has fallen in recent years as adversaries accelerate from initial intrusion to lateral movement.
The Importance of Innovation in Cyber Defense
In this post, we’ll discuss the intricacies of cross-domain threats and explain the strongest approach to detecting, analyzing and responding to them with speed and precision.
We’ve witnessed firsthand how cross-domain attacks have impacted our customers. In April 2024, CrowdStrike Counter Adversary Operations detected suspected PUNK SPIDER activity at a North American technology company. The adversary accessed the victim’s network through an unmanaged Palo Alto Networks GlobalProtect VPN appliance vulnerable to CVE-2024-3400.
The speed at which adversaries can pivot across domains further compounds this challenge. Because cross-domain attacks exploit weaknesses across multiple domains with rapid escalation, speed of detection is critical to their success. By mimicking legitimate network behavior and exploiting organizational tools, adversaries reduce the window for defenders to identify suspicious activity. Traditional detection methods, reliant on malware signatures or anomalous behaviors, are ill-equipped to catch these swift and sophisticated intrusions.
Here we see the adversary attempt multiple techniques to move across the endpoint and identity domains. PUNK SPIDER exploits a vulnerability to break in and then uses legitimate accounts and tools to further their attack. While the CrowdStrike Falcon platform stopped the adversary before they could escalate further, it’s clear how they planned to escalate in the target environment. This activity showcases how a unified platform and fast, modern threat detection can provide rapid, scalable defense to outmaneuver even the most sophisticated adversaries.