CrowdStrike: Difference between revisions
(9 intermediate revisions by the same user not shown) | |||
Line 120: | Line 120: | ||
systemctl status falcon-sensor | systemctl status falcon-sensor | ||
# ps aux | grep falcon | |||
root 858 0.0 0.0 2684 104 ? Ss Mar08 0:00 /opt/CrowdStrike/falcond | |||
root 859 0.0 0.0 1253844 11552 ? Sl Mar08 5:09 falcon-sensor | |||
# lsmod | grep -i falcon | |||
falcon_lsm_serviceable 1798144 1 | |||
falcon_nf_netcontain 20480 1 | |||
falcon_kal 94208 1 falcon_lsm_serviceable | |||
falcon_lsm_pinned_16604 155648 1 | |||
falcon_lsm_pinned_16303 151552 1 | |||
== Linux == | == Linux == | ||
Line 221: | Line 232: | ||
tcp 0 0 192.0.2.176:35382 ec2-54-148-96-12:443 ESTABLISHED 3228/falcon-sensor | tcp 0 0 192.0.2.176:35382 ec2-54-148-96-12:443 ESTABLISHED 3228/falcon-sensor | ||
</pre> | </pre> | ||
== BSOD 2024 Issue == | |||
There is a worldwide issue related to windows machines with Crowdstrike getting a BSOD and getting stuck in an endless loop of restarts. | |||
<blockquote> | |||
Applicable only for Windows based devices which are down or blue screen or reboot in loop. If device is working fine, no issue. | |||
Here are the instructions to resolve the issue on impacted devices: | |||
# Boot Windows into Safe Mode or the Windows Recovery Environment | |||
# Navigate to the C:\Windows\System32\drivers\CrowdStrike directory | |||
# Locate the file matching “C-00000291*.sys”, and delete it. | |||
# Boot the host normally. | |||
</blockquote> | |||
https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/ | |||
This one didn't continually crash my systems (only once, but recovered): | |||
C:\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000098.sys | |||
1e9d1430e9b57372fc94711c7e0db32e9f1a4f2d7f2f01e8cd8cf0ecb46af1c6 *C-00000291-00000000-00000098.sys | |||
This one perpetually crashed my system: | |||
C:\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000097.sys | |||
CFBC480E22434E1045A8DE17DD1DED4B6FC66131BA98D0C23CBCA543A988924F *C-00000291-00000000-00000097.sys | |||
https://i.imgur.com/OtPLVQF.png | |||
https://i.imgur.com/JorMyPq.png | |||
=== Post Incident Review === | |||
Preliminary Post Incident Review | |||
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/ | |||
Windows Security best practices for integrating and managing security tools | Microsoft Security Blog | |||
https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-best-practices-for-integrating-and-managing-security-tools/ | |||
Patrick Wardle's analysis (spawns several discussions, which is how I found the above) | |||
https://x.com/patrickwardle/status/1814583925223678281 | |||
== References == | == References == |
Latest revision as of 18:22, 4 August 2024
CrowdStrike
Install
Windows Install
WindowsSensor.exe /install /quiet /norestart CID=<your CID>
Linux Install
dpkg -i falcon-sensor_6.53.0-15003_amd64.deb /opt/CrowdStrike/falconctl -s -f --cid="XXXX" /opt/CrowdStrike/falconctl -s --trace=warn systemctl enable falcon-sensor systemctl restart falcon-sensor
Check Version
Windows Check Version
Check Version: [1]
wmic path win32_product where (caption like '%crowdstrike sensor%') get version
Note: This take a few minutes to process
Examples
Installed:
C:\>wmic path win32_product where (caption like '%crowdstrike sensor%') get version Version 5.36.11809.0
Not installed:
C:\>wmic path win32_product where (caption like '%crowdstrike sensor%') get version No Instance(s) Available.
Linux Check Version
/opt/CrowdStrike/falconctl -g --version version = 7.10.16303.0
Linux Kernel Check
The Linux Kernel updates much more often than CrowdStrike. You should disable automatic Kernel Updates, and control the kernel updates. To check if the currently running kernel is currently supported by version of CrowdStrike:
Ok:
# /opt/CrowdStrike/falcon-kernel-check Host OS 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 is supported by Sensor version 16303.
Bad:
# /opt/CrowdStrike/falcon-kernel-check Host OS Linux 5.15.0-105-generic #115-Ubuntu SMP Mon Apr 15 09:52:04 UTC 2024 is not supported by Sensor version 16303.
To get a list of supported kernels use:
# /opt/CrowdStrike/falcon-kernel-check -k [PATTERN] # /opt/CrowdStrike/falcon-kernel-check -k 5.15
Example:
# /opt/CrowdStrike/falcon-kernel-check -k 5.15 | grep generic 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 5.15.0-27-generic #28-Ubuntu SMP Thu Apr 14 04:55:28 UTC 2022 5.15.0-30-generic #31-Ubuntu SMP Thu May 5 10:00:34 UTC 2022 5.15.0-33-generic #34~20.04.1-Ubuntu SMP Thu May 19 15:51:16 UTC 2022 5.15.0-33-generic #34-Ubuntu SMP Wed May 18 13:34:26 UTC 2022 ... 5.15.0-88-generic #98-Ubuntu SMP Mon Oct 2 15:18:56 UTC 2023 5.15.0-89-generic #99~20.04.1-Ubuntu SMP Thu Nov 2 15:16:47 UTC 2023 5.15.0-89-generic #99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023 5.15.0-91-generic #101~20.04.1-Ubuntu SMP Thu Nov 16 14:22:28 UTC 2023 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023
Check for Reduced Functionality Mode (RFM)
sudo /opt/CrowdStrike/falconctl -g --rfm-state
Good:
rfm-state=false
Not so good:
rfm-state=true
If true, and in RFM, check for reason:
sudo /opt/CrowdStrike/falconctl -g --rfm-reason
# if good, but ask anyways: rfm-reason=None, code=0x0.
rfm-reason=Modules file was not found, code=0xC0000034.
Check File System Service
Windows System Service
Check sensor is running: [1]
sc query csagent
C:\>sc query csagent SERVICE_NAME: csagent TYPE : 2 FILE_SYSTEM_DRIVER STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
Note: This is a different service than what is in service manager
Linux System Service
systemctl status falcon-sensor
# ps aux | grep falcon root 858 0.0 0.0 2684 104 ? Ss Mar08 0:00 /opt/CrowdStrike/falcond root 859 0.0 0.0 1253844 11552 ? Sl Mar08 5:09 falcon-sensor
# lsmod | grep -i falcon falcon_lsm_serviceable 1798144 1 falcon_nf_netcontain 20480 1 falcon_kal 94208 1 falcon_lsm_serviceable falcon_lsm_pinned_16604 155648 1 falcon_lsm_pinned_16303 151552 1
Linux
Dependency:
apt install libnl-3-200
cd /opt dpkg -i falcon-sensor_6.53.0-15003_amd64.deb # /opt/CrowdStrike/falconctl -s --cid="XXXX" # Note: need -f with the --cid, example: # "CID is set, but -f was not specified" /opt/CrowdStrike/falconctl -s -f --cid="XXXX" /opt/CrowdStrike/falconctl -s --trace=warn systemctl enable falcon-sensor systemctl restart falcon-sensor
/opt/CrowdStrike/falconctl -s --trace=info
systemctl status falcon-sensor /opt/CrowdStrike/falconctl -g --cid /opt/CrowdStrike/falconctl -g --trace service falcon-sensor status service falcon-sensor restart ps aux | grep sensor ps aux | grep falcon
How to Install the CrowdStrike Falcon Sensor for Linux https://www.crowdstrike.com/blog/tech-center/install-falcon-sensor-for-linux/
Pi Not Supported
Raspberry Pi is not supported
root@pitest:~# dpkg -i falcon-sensor_6.53.0-15003_amd64.deb dpkg: error processing archive falcon-sensor_6.53.0-15003_amd64.deb (--install): package architecture (amd64) does not match system (armhf) Errors were encountered while processing: falcon-sensor_6.53.0-15003_amd64.deb root@pitest:~# uname -a Linux pitest 5.15.74-v7l+ #1595 SMP Wed Oct 26 11:05:08 BST 2022 armv7l GNU/Linux
Installation Path
Windows Install Path
CS is installed in:
C:\Windows\System32\drivers\CrowdStrike
ref: [2]
Linux Install Path
/opt/CrowdStrike/
Uninstall
In order to uninstall current versions of CrowdStrike, you will need to obtain a maintenance token, which is unique to each system. To obtain this token, email YOUR IT ADMIN stating that you need a maintenance token to uninstall CrowdStrike. You will also need to provide your unique agent ID as described below. The Security Team may be able to find your host by a combination of hostname, IP address and/or MAC address.
You can retrieve the host's device ID or AID (agent ID) locally by running the following commands at a Command Prompt/Terminal.
Windows: reg query HKLM\System\CurrentControlSet\services\CSAgent\Sim\ /f AG
Mac sensor version 6.x: sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | grep agentID
Once the Security Team provides this maintenance token, you may proceed with the below instructions.
Windows
- Go to the Control Panels, select Uninstall a Program, and select CrowdStrike Falcon Sensor
Mac OS
- This depends on the version of the sensor you are running. You can check using the sysctl cs command mentioned above, but unless you are still using Yosemite you should be on 6.x at this point. Note for those unfamiliar with sudo that you will be prompted for a password, which is the password for the account you are logged in as, to allow the command to run with elevated privilege. The Falcon Agent will also require Full Disk access for the uninstall. On macOS 13 and above, Terminal will need to be added to App Management.
- Sensor version 6.x and above, navigate to the Terminal command line and type:
sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token
- Enter token-from-security-team when prompted
- You can also unload/load the sensor if you think you are having problems:
sudo /Applications/Falcon.app/Contents/Resources/falconctl load sudo /Applications/Falcon.app/Contents/Resources/falconctl unload --maintenance-token
- Enter token-from-security-team when prompted
Linux sudo service falcon-sensor stop
- Remove the package using the appropriate rpm or deb package command. The package name will be like falcon-sensor-4.18.0-6403.el7.x86_64
ref: [3]
Check for connection to cloud
sudo netstat -tapn | grep falcon
Should see something like:
tcp 0 0 192.0.2.176:35382 ec2-54-148-96-12:443 ESTABLISHED 3228/falcon-sensor
BSOD 2024 Issue
There is a worldwide issue related to windows machines with Crowdstrike getting a BSOD and getting stuck in an endless loop of restarts.
Applicable only for Windows based devices which are down or blue screen or reboot in loop. If device is working fine, no issue.
Here are the instructions to resolve the issue on impacted devices:
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Boot the host normally.
https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
This one didn't continually crash my systems (only once, but recovered):
C:\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000098.sys 1e9d1430e9b57372fc94711c7e0db32e9f1a4f2d7f2f01e8cd8cf0ecb46af1c6 *C-00000291-00000000-00000098.sys
This one perpetually crashed my system:
C:\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000097.sys CFBC480E22434E1045A8DE17DD1DED4B6FC66131BA98D0C23CBCA543A988924F *C-00000291-00000000-00000097.sys
Post Incident Review
Preliminary Post Incident Review https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
Windows Security best practices for integrating and managing security tools | Microsoft Security Blog https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-best-practices-for-integrating-and-managing-security-tools/
Patrick Wardle's analysis (spawns several discussions, which is how I found the above) https://x.com/patrickwardle/status/1814583925223678281
References
- Troubleshooting the CrowdStrike Falcon Sensor for Linux | Office of Information Technology - https://oit.duke.edu/help/articles/kb0035319/