Issue
When using CrowdStrike sensors, some playbooks may fail to execute when performing file-based actions like Delete File.
Environment
Red Canary and CrowdStrike Falcon
Resolution
CrowdStrike telemetry sends file path data to Red Canary in the following format: \\Device\\HarddiskVolume3\\Path\To\Malicious\File
However, for delete commands Red Canary expects file paths in this format:
C:\\Path\To\Malicious\File
Per CrowdStrike's direction, Red Canary created a solution which requires the following:
- Custom Scripts must be enabled in Real Time Response policies.
- To enable custom scripts, navigate to Configuration > Response Policies then edit the applicable response policy. Ensure that both "Real Time Response" and "Custom Scripts" are enabled:
- To enable custom scripts, navigate to Configuration > Response Policies then edit the applicable response policy. Ensure that both "Real Time Response" and "Custom Scripts" are enabled:
- The attached PowerShell script that maps device paths to drive paths.
- To apply the script, copy and paste the entirety of the script into the CrowdStrike console.
- Ensure the script is named "get_device_to_drive_mappings".
This script returns device-to-drive mappings in NDJSON and allows Red Canary to work around path-formatting issues in CrowdStrike telemetry. Here's an example of its output:
{"DevicePath":"\\Device\\HarddiskVolume3","DriveLetter":"C:"}
{"DevicePath":"\\Device\\CdRom0","DriveLetter":"D:"}
Once a script with the name "get_device_to_drive_mappings" is added to CrowdStrike, Red Canary must manually enable the setting to utilize the script for that account to fully resolve the issue.