Issue
When using CrowdStrike sensors, some playbooks may fail to execute when performing file-based actions like Delete File.
Environment
Red Canary and CrowdStrike Falcon
Resolution
CrowdStrike telemetry sends file path data to Red Canary in the following format: \\Device\\HarddiskVolume3\\Path\To\Malicious\File
However, for delete commands Red Canary expects file paths in this format:
C:\\Path\To\Malicious\File
Per CrowdStrike's direction, Red Canary created a solution which requires the following:
- Custom Scripts must be enabled in Real Time Response policies.
- To enable custom scripts, navigate to Configuration > Response Policies then edit the applicable response policy. Ensure that both "Real Time Response" and "Custom Scripts" are enabled:
- To enable custom scripts, navigate to Configuration > Response Policies then edit the applicable response policy. Ensure that both "Real Time Response" and "Custom Scripts" are enabled:
- The attached PowerShell script that maps device paths to drive paths.
- To apply the script, copy and paste the entirety of the script into the CrowdStrike console.
- Ensure the script is named "get_device_to_drive_mappings".
This script returns device-to-drive mappings in NDJSON and allows Red Canary to work around path-formatting issues in CrowdStrike telemetry. Here's an example of its output:
{"DevicePath":"\\Device\\HarddiskVolume3","DriveLetter":"C:"}
{"DevicePath":"\\Device\\CdRom0","DriveLetter":"D:"}
Once a script with the name "get_device_to_drive_mappings" is added to CrowdStrike, Red Canary must manually enable the setting to utilize the script for that account to fully resolve the issue.
Dev Note
Here's the code needed to fix this.
switch_to :<customersubdomain>
TenantedSetting.enabled_sensor_ids_for_device_to_ drive_mappings = ["ALL"]
Comments
0 comments
Please sign in to leave a comment.