{
	"id": "c7779b74-1c78-409c-9c4c-19f13af77ca7",
	"created_at": "2026-04-06T00:09:29.051337Z",
	"updated_at": "2026-04-10T03:20:36.88872Z",
	"deleted_at": null,
	"sha1_hash": "6f17c07e8e831ad775ff64aae4636f23ca933d3e",
	"title": "OverWatch Elite's Call Escalation Vital to Containing Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1157804,
	"plain_text": "OverWatch Elite's Call Escalation Vital to Containing Attack\r\nBy falcon.overwatch.team\r\nArchived: 2026-04-05 15:51:54 UTC\r\nFor a defender, time is critical. As CrowdStrike Falcon® OverWatch™ threat hunters know firsthand, adversaries\r\ncan move from initial access to lateral movement in just minutes. This blog and the real world attack scenario that\r\nit describes highlights the essential value that human security expertise adds to an organization’s security defense\r\nand response capabilities beyond the limits of autonomous ML/AI alone. Earlier this year, OverWatch threat\r\nhunters identified the early stages of an intrusion against a healthcare organization. Fortunately, this customer\r\nsubscribed to the OverWatch Elite service, which includes a CrowdStrike threat hunting analyst that helps the in-house security team improve response times and drive continuous optimization. This meant an assigned threat\r\nresponse analyst was able to contact the organization personally to alert them of the malicious activity. This\r\nallowed the customer to contain the adversary before any significant impact resulted. This call escalation protocol\r\n— a core offering of OverWatch Elite — can prove crucial in enabling a timely response to sophisticated hands-on-keyboard activity when every minute counts. This blog outlines the detection and response to the attempted\r\nintrusion.\r\nTracking and Containing an Intrusion in Real Time\r\nOverWatch discovered an unknown adversary conducting malicious interactive activity on multiple hosts. Using a\r\nlegitimate administrator account, the adversary gained access to the initial host via a Remote Desktop Protocol\r\n(RDP) session. Valid credentials are often widely available through various means and can provide an undetected\r\npath into secure networks. The adversary then wrote a series of tools to the compromised host, including\r\nPowerTool, Mimikatz, and a Meterpreter stager payload with the file name lssass.exe , masquerading as the\r\nlegitimate Windows executable.\r\nhttps://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/\r\nPage 1 of 4\n\nNext, the adversary executed Mimikatz in an attempt to harvest user credentials from the initial host before\r\nmoving laterally to various hosts using mstsc.exe, a Windows Remote Desktop Connection tool. Using an RDP\r\nsession, the adversary proceeded to log in to two additional remote hosts using yet another account, indicating that\r\nthey were in possession of numerous sets of valid domain credentials. The adversary was then observed\r\nconducting host and network reconnaissance, including the enumeration of additional systems on the domain.\r\nFinally, the adversary attempted to use the Windows Task Manager to extract the contents of the LSASS process\r\nin a further attempt to harvest credentials, which was ultimately thwarted by the CrowdStrike Falcon®® sensor.\r\nThe tailored guidance provided by OverWatch Elite during the customer’s initial onboarding ensured that the\r\nFalcon platform was configured correctly and had appropriate prevention settings turned on, ensuring no endpoint\r\nwas left unprotected.\r\nTactic and Technique Overview\r\nAn Elite Response When Every Minute Matters\r\nhttps://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/\r\nPage 2 of 4\n\nAs this malicious activity unfolded, OverWatch threat hunters were watching and quickly determined that this was\r\nmalicious hands-on-keyboard activity. The CrowdStrike Threat GraphⓇ database contributes to OverWatch’s\r\nability to hunt across over 1 trillion endpoint events each day, enabling threat hunters to quickly surface the most\r\nsubtle of suspicious or malicious behaviors that could potentially indicate a sophisticated adversary’s presence.\r\nUpon validating that the observed activity was malicious, OverWatch triggered multiple detections to the\r\ncustomer’s Falcon console, followed by a detailed notification that was sent via email. This notification contained\r\na comprehensive summary of the event, including the indicators of compromise (IOCs) seen during this attack.\r\nWith this actionable intelligence in hand, the organization had the critical context necessary to take immediate\r\naction and disrupt the adversary. During working hours, customers are often available to discuss investigations,\r\ndetections and intrusions with OverWatch Elite analysts. Adversaries, however, do not operate strictly within\r\nbusiness hours. In this case, the malicious activity in question was unfolding over the weekend — a time when\r\norganizations may not be monitoring their queues or mailboxes as closely. As a Falcon OverWatch Elite customer,\r\nthis organization was provided with 60-minute call escalation. This core OverWatch Elite feature is critical to\r\nensuring that active hands-on keyboard activity is being responded to by the customer in a timely fashion. If no\r\none in the customer’s organization confirms they are investigating the critical activity within 60 minutes of the\r\nemail notification, an OverWatch Elite threat response analyst will begin calling a predetermined list of\r\nindividuals at the organization until there is confirmation that someone is responding to the incident. In this\r\ninstance, the initial notification went unacknowledged. OverWatch Elite performed a rapid assessment of the\r\nunfolding situation and deemed rapid escalation was necessary. Once contact was secured, OverWatch Elite\r\nbriefed the customer, prompting them to contain the compromised hosts before the adversary could achieve the\r\nintended objectives. OverWatch hunts continuously and simultaneously across its customers' endpoints 24 hours\r\naday, 365 days a year, providing near real-time notifications of potential threats to customers. Itis equally crucial\r\nthat defenders are ready to take action following OverWatch notifications. OverWatch Elite’s call escalation\r\nprotocol ensures that notifications don’t get missed and defensive action can be taken quickly.\r\nFeatures Unique to Falcon OverWatch Elite\r\nOverWatch Elite’s core offerings allow customers to build a personalized relationship with their assigned threat\r\nresponse analyst. Specific service inclusions, such as the call escalation protocol highlighted, provide OverWatch\r\nElite customers with added peace of mind that adversary activity within their environments can be rapidly\r\ndisrupted. The tailored threat hunting available to OverWatch Elite customers also allows them to develop,\r\noperationalize and tune their threat hunting program to meet the needs of their specific environment, all while\r\ngiving them access to fast, closed-loop communications. In addition to the call escalation protocol, the other\r\nunique offerings of OverWatch Elite are detailed below. For more information, please visit OverWatch Elite’s\r\nhttps://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/\r\nPage 3 of 4\n\npage on CrowdStrike’s website.\r\nAdditional Resources\r\nRead about the latest trends in threat hunting and more in the 2021 Threat Hunting Report.\r\nLearn more about Falcon OverWatch proactive managed threat hunting.\r\nWatch this video to see how Falcon OverWatch proactively hunts for threats in your environment.\r\nLearn more about the CrowdStrike Falcon® platform by visiting the product webpage.\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nSource: https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/\r\nhttps://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/"
	],
	"report_names": [
		"overwatch-elite-call-escalation-vital-to-containing-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434169,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f17c07e8e831ad775ff64aae4636f23ca933d3e.pdf",
		"text": "https://archive.orkl.eu/6f17c07e8e831ad775ff64aae4636f23ca933d3e.txt",
		"img": "https://archive.orkl.eu/6f17c07e8e831ad775ff64aae4636f23ca933d3e.jpg"
	}
}