netero1010
commented
10 months ago Hi, May I know if this tool has been tested with a CrowdStrike instance and managed to block its traffic?
Closed bobby-tablez closed 10 months ago
netero1010
commented
10 months ago Hi, May I know if this tool has been tested with a CrowdStrike instance and managed to block its traffic?
bobby-tablez
commented
10 months ago I haven't done any formal testing, just targeting the running CSF processes. I can do some more in-depth testing and report back
bobby-tablez
commented
10 months ago Glad you prompted for this! Looks like we've got IP communication from two areas. First, CSF creates a thread from the main system process which it uses for it's cloud communication. Obviously blocking this would be bad unless it were limited to HTTPS traffic to "*.compute.amazonaws.com" and "ts01-b.cloudsink.net" based on my observations.
However, after running EDRSilencer, I am seeing confirmed EVID 5152 logs referencing blocked packets from "\device\harddiskvolume3\program files\crowdstrike\csfalconservice.exe" every hour. Monitoring the affected host in the CSF portal, it does not knock the host offline and alerts are still rolling in.
I'll go ahead and close this as the proposed change doesn't produce the desired effect in testing.
Add CS Falcon binaries.
Installed in "C:\Program Files\CrowdStrike"