CrowdStrike Remediation (retrieve BitLocker Keys FIRST!)

Fix: (have bitlocker keys READY before attempting)

From Safe-Mode:

cd %systemroot%\system32\drivers\CrowdStrike
del C-00000291*.sys

Impact

Customers running Falcon sensor for Windows version 7.11 and above, that were online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC, may be impacted.

Systems running Falcon sensor for Windows 7.11 and above that downloaded the updated configuration from 04:09 UTC to 05:27 UTC – were susceptible to a system crash.

Technical Details

On Windows systems, Channel Files reside in the following directory:

C:\Windows\System32\drivers\CrowdStrike\

and have a file name that starts with “C- ”. Each channel file is assigned a number as a unique identifier. The impacted Channel File in this event is 291 and will have a filename that starts with “C-00000291- ” and ends with a .sys extension. Although Channel Files end with the SYS extension, they are not kernel drivers.

Channel File 291 controls how Falcon evaluates named pipe1 execution on Windows systems. Named pipes are used for normal, interprocess or intersystem communication in Windows.

The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks. The configuration update triggered a logic error that resulted in an operating system crash.

sauce: Technical Details: Falcon Update for Windows Hosts | CrowdStrike

Video: https://www.youtube.com/watch?v=Bn5eRUaMZXk

9 Likes

Bump and *grabs popcorn* :popcorn:

7 Likes

Good work, @TryTwiceMedia Thank you for this writeup!

3 Likes

Not gonna lie, I went around and got a few new clients during the outage on Friday while our competitors are overwhelmed. Our local competition had already outsourced their tech support overseas, so customers are being told to run SFC and DISM on BSOD’d machines.

I appreciate your appreciation.

7 Likes

Why is the competition so nasty for local tech here. They really don’t want us to succeed.

4 Likes

Haha ohhhh, that’s got to be good for you guys huh?

4 Likes

It’s really not. We’re a small business that specializes in niche computer fields (CNC manufacturing, media broadcast equipment, security compliance auditing / remediation, etc.)

I have MSP engineers and on-site techs; but the bulk of our income is esoteric computer applications, not basic tech support.

We do not have the man power to go fix computers being managed by other companies, especially since several have sent me texts along the lines of, “stop stealing our customers!!”

Those poor customers signed MSP contracts spanning years with no SLA and now they’re SOL.

6 Likes

For those who still needed, here is a bootable tool to remove the file for you from Microsoft. In case someone does not want to go through all the commands to get through this. You will need the Bitlocker key for this to work.

5 Likes