Question

Endpoint Security Assessment - Troubleshooting


Badge

Hi there! 
I’m doing a POC with a customer that has Crowdstrike Falcon as solution. 
We are testing EDR assessment. 

Before we start, I sent him some URLs as pre-req: 

*.app.cymulate.com
agents.app.cymulate.com
edr-resources.app.cymulate.com
C:\Program Files\Cymulate\Agent\**
C:\ProgramData\Cymulate\Agent\**
C:\Program Files\Cymulate\Agent\Executor\220.0 
CymulateEDRScenarioExecutor.exe

We’re facing some issues because the assessment is not working properly.
Below the attack trace.

[2024-05-31 15:53:56] - Scenario::StartScenarioExecutor() Exception - ProgProcess.Start(C:\Program Files\Cymulate\Agent\Executor\220.0\CymulateEDRScenarioExecutor.exe) - System.ComponentModel.Win32Exception (5): An error occurred trying to start process 'C:\Program Files\Cymulate\Agent\Executor\220.0\CymulateEDRScenarioExecutor.exe' with working directory 'C:\Program Files\Cymulate\Agent\Executor\220.0'. Acesso negado.
at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
at CymulateEDR.Scenario.StartScenarioExecutor()



And I already sent to my customer the KB about Crowdstrike. 
I really don’t know what’s going, and of course PROBABLY my customer did not apply all steps that this KB requests ( CrowdStrike Falcon - Setting up Exclusions (document360.io))

I mean, are there anything else that I should whitelist?  

Thank you!! 


3 replies

Userlevel 2
Badge

That looks like a whitelisting problem. Cymulate cannot launch the scenario executor process as its most likely being blocked by Crowd Strike. 

Badge

Hi @eduardo_elias 

Please follow this guide for CrowdStrike [Flacon] exclusions:
https://app.cymulate.com/cym/sso/document360?redirect=/docs/crowdstrike-falcon-setting-up-exclusions
 

Hola Eduardo,

 

Eso es por problema de excepciones, sigue la guía que te envió Or Hamra, y pide que te envíen la evidencia, porque son bastante reacios a hacer las exclusiones en Crowdstrike, lo otro, debes cambiar la carpeta donde se ejecutan los payloads, porque de igual forma bloquea el acceso Crowdstrike en algunos casos =).

 

Saludos

Reply