CrowdStrike: Difference between revisions

From Omnia
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 250: Line 250:
  https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
  https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/


This one didn't crash my systems:
This one didn't continually crash my systems (only once, but recovered):
  C:\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000098.sys
  C:\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000098.sys
  1e9d1430e9b57372fc94711c7e0db32e9f1a4f2d7f2f01e8cd8cf0ecb46af1c6 *C-00000291-00000000-00000098.sys
  1e9d1430e9b57372fc94711c7e0db32e9f1a4f2d7f2f01e8cd8cf0ecb46af1c6 *C-00000291-00000000-00000098.sys


This one did:
This one perpetually crashed my system:
  C:\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000097.sys
  C:\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000097.sys
  CFBC480E22434E1045A8DE17DD1DED4B6FC66131BA98D0C23CBCA543A988924F *C-00000291-00000000-00000097.sys
  CFBC480E22434E1045A8DE17DD1DED4B6FC66131BA98D0C23CBCA543A988924F *C-00000291-00000000-00000097.sys
Line 262: Line 262:


https://i.imgur.com/JorMyPq.png
https://i.imgur.com/JorMyPq.png
=== Post Incident Review ===
Preliminary Post Incident Review
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
Windows Security best practices for integrating and managing security tools | Microsoft Security Blog
https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-best-practices-for-integrating-and-managing-security-tools/
Patrick Wardle's analysis (spawns several discussions, which is how I found the above)
https://x.com/patrickwardle/status/1814583925223678281


== References ==
== References ==

Latest revision as of 18:22, 4 August 2024

CrowdStrike

APP-092519-Crowdstrike-Logo.jpg

Install

Windows Install

WindowsSensor.exe /install /quiet /norestart CID=<your CID>

Linux Install

dpkg -i falcon-sensor_6.53.0-15003_amd64.deb
/opt/CrowdStrike/falconctl -s -f --cid="XXXX" 
/opt/CrowdStrike/falconctl -s --trace=warn
systemctl enable falcon-sensor
systemctl restart falcon-sensor

Check Version

Windows Check Version

Check Version: [1]

wmic path win32_product where (caption like '%crowdstrike sensor%') get version

Note: This take a few minutes to process

Examples

Installed:

C:\>wmic path win32_product where (caption like '%crowdstrike sensor%') get version
Version
5.36.11809.0

Not installed:

C:\>wmic path win32_product where (caption like '%crowdstrike sensor%') get version
No Instance(s) Available.

Linux Check Version

/opt/CrowdStrike/falconctl -g --version
version = 7.10.16303.0

Linux Kernel Check

The Linux Kernel updates much more often than CrowdStrike. You should disable automatic Kernel Updates, and control the kernel updates. To check if the currently running kernel is currently supported by version of CrowdStrike:

Ok:

# /opt/CrowdStrike/falcon-kernel-check
Host OS 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 is supported by Sensor version 16303.

Bad:

# /opt/CrowdStrike/falcon-kernel-check
Host OS Linux 5.15.0-105-generic #115-Ubuntu SMP Mon Apr 15 09:52:04 UTC 2024 is not supported by Sensor version 16303.

To get a list of supported kernels use:

# /opt/CrowdStrike/falcon-kernel-check -k [PATTERN]
# /opt/CrowdStrike/falcon-kernel-check -k 5.15

Example:

# /opt/CrowdStrike/falcon-kernel-check -k 5.15 | grep generic
5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022
5.15.0-27-generic #28-Ubuntu SMP Thu Apr 14 04:55:28 UTC 2022
5.15.0-30-generic #31-Ubuntu SMP Thu May 5 10:00:34 UTC 2022
5.15.0-33-generic #34~20.04.1-Ubuntu SMP Thu May 19 15:51:16 UTC 2022
5.15.0-33-generic #34-Ubuntu SMP Wed May 18 13:34:26 UTC 2022
...
5.15.0-88-generic #98-Ubuntu SMP Mon Oct 2 15:18:56 UTC 2023
5.15.0-89-generic #99~20.04.1-Ubuntu SMP Thu Nov 2 15:16:47 UTC 2023
5.15.0-89-generic #99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023
5.15.0-91-generic #101~20.04.1-Ubuntu SMP Thu Nov 16 14:22:28 UTC 2023
5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023

Check for Reduced Functionality Mode (RFM)

sudo /opt/CrowdStrike/falconctl -g --rfm-state

Good:

rfm-state=false

Not so good:

rfm-state=true

If true, and in RFM, check for reason:

sudo /opt/CrowdStrike/falconctl -g --rfm-reason
# if good, but ask anyways:
rfm-reason=None, code=0x0.
rfm-reason=Modules file was not found, code=0xC0000034.

Check File System Service

Windows System Service

Check sensor is running: [1]

sc query csagent
C:\>sc query csagent

SERVICE_NAME: csagent
        TYPE               : 2  FILE_SYSTEM_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0


Note: This is a different service than what is in service manager

Linux System Service

systemctl status falcon-sensor
# ps aux | grep falcon
root         858  0.0  0.0   2684   104 ?        Ss   Mar08   0:00 /opt/CrowdStrike/falcond
root         859  0.0  0.0 1253844 11552 ?       Sl   Mar08   5:09 falcon-sensor
# lsmod | grep -i falcon
falcon_lsm_serviceable  1798144  1
falcon_nf_netcontain    20480  1
falcon_kal             94208  1 falcon_lsm_serviceable
falcon_lsm_pinned_16604   155648  1
falcon_lsm_pinned_16303   151552  1

Linux

Dependency:

apt install libnl-3-200
cd /opt
dpkg -i falcon-sensor_6.53.0-15003_amd64.deb
# /opt/CrowdStrike/falconctl -s --cid="XXXX" 
# Note: need -f with the --cid, example:
#   "CID is set, but -f was not specified"
/opt/CrowdStrike/falconctl -s -f --cid="XXXX" 
/opt/CrowdStrike/falconctl -s --trace=warn
systemctl enable falcon-sensor
systemctl restart falcon-sensor
/opt/CrowdStrike/falconctl -s --trace=info
systemctl status falcon-sensor
/opt/CrowdStrike/falconctl -g --cid
/opt/CrowdStrike/falconctl -g --trace
service falcon-sensor status
service falcon-sensor restart
ps aux | grep sensor
ps aux | grep falcon


How to Install the CrowdStrike Falcon Sensor for Linux
https://www.crowdstrike.com/blog/tech-center/install-falcon-sensor-for-linux/

Pi Not Supported

Raspberry Pi is not supported

root@pitest:~# dpkg -i falcon-sensor_6.53.0-15003_amd64.deb
dpkg: error processing archive falcon-sensor_6.53.0-15003_amd64.deb (--install):
 package architecture (amd64) does not match system (armhf)
Errors were encountered while processing:
 falcon-sensor_6.53.0-15003_amd64.deb

root@pitest:~# uname -a
Linux pitest 5.15.74-v7l+ #1595 SMP Wed Oct 26 11:05:08 BST 2022 armv7l GNU/Linux


Installation Path

Windows Install Path

CS is installed in:

C:\Windows\System32\drivers\CrowdStrike

ref: [2]

Linux Install Path

/opt/CrowdStrike/

Uninstall

In order to uninstall current versions of CrowdStrike, you will need to obtain a maintenance token, which is unique to each system. To obtain this token, email YOUR IT ADMIN stating that you need a maintenance token to uninstall CrowdStrike. You will also need to provide your unique agent ID as described below. The Security Team may be able to find your host by a combination of hostname, IP address and/or MAC address.

You can retrieve the host's device ID or AID (agent ID) locally by running the following commands at a Command Prompt/Terminal.

Windows: reg query HKLM\System\CurrentControlSet\services\CSAgent\Sim\ /f AG

Mac sensor version 6.x: sudo /Applications/Falcon.app/Contents/Resources/falconctl stats | grep agentID

Once the Security Team provides this maintenance token, you may proceed with the below instructions.

Windows

  • Go to the Control Panels, select Uninstall a Program, and select CrowdStrike Falcon Sensor

Mac OS

  • This depends on the version of the sensor you are running. You can check using the sysctl cs command mentioned above, but unless you are still using Yosemite you should be on 6.x at this point. Note for those unfamiliar with sudo that you will be prompted for a password, which is the password for the account you are logged in as, to allow the command to run with elevated privilege. The Falcon Agent will also require Full Disk access for the uninstall. On macOS 13 and above, Terminal will need to be added to App Management.
    • Sensor version 6.x and above, navigate to the Terminal command line and type:

sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token

    • Enter token-from-security-team when prompted
    • You can also unload/load the sensor if you think you are having problems:

sudo /Applications/Falcon.app/Contents/Resources/falconctl load sudo /Applications/Falcon.app/Contents/Resources/falconctl unload --maintenance-token

    • Enter token-from-security-team when prompted

Linux sudo service falcon-sensor stop

  • Remove the package using the appropriate rpm or deb package command. The package name will be like falcon-sensor-4.18.0-6403.el7.x86_64

ref: [3]

Check for connection to cloud

sudo netstat -tapn | grep falcon

Should see something like:

tcp        0      0    192.0.2.176:35382       ec2-54-148-96-12:443          ESTABLISHED 3228/falcon-sensor

BSOD 2024 Issue

There is a worldwide issue related to windows machines with Crowdstrike getting a BSOD and getting stuck in an endless loop of restarts.

Applicable only for Windows based devices which are down or blue screen or reboot in loop. If device is working fine, no issue.

Here are the instructions to resolve the issue on impacted devices:

  1. Boot Windows into Safe Mode or the Windows Recovery Environment
  2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
  3. Locate the file matching “C-00000291*.sys”, and delete it.
  4. Boot the host normally.
https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/

This one didn't continually crash my systems (only once, but recovered):

C:\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000098.sys
1e9d1430e9b57372fc94711c7e0db32e9f1a4f2d7f2f01e8cd8cf0ecb46af1c6 *C-00000291-00000000-00000098.sys

This one perpetually crashed my system:

C:\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000097.sys
CFBC480E22434E1045A8DE17DD1DED4B6FC66131BA98D0C23CBCA543A988924F *C-00000291-00000000-00000097.sys


OtPLVQF.png

JorMyPq.png

Post Incident Review

Preliminary Post Incident Review
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
Windows Security best practices for integrating and managing security tools | Microsoft Security Blog
https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-best-practices-for-integrating-and-managing-security-tools/
Patrick Wardle's analysis (spawns several discussions, which is how I found the above)
https://x.com/patrickwardle/status/1814583925223678281

References

keywords