Solved

Immediate Threats - Crowdstrike Doesn't show file execution logs

  • 27 March 2023
  • 2 replies
  • 290 views

Badge

Hi All, I was analyzing few immediate threat reports and saw some binaries were executed by Cymulate and not prevented by Crowdstrike. But a hash search in CS doesn’t show any signs of the file execution? Why does this happen? Is this something to do with the file exclusion?

icon

Best answer by Shiraz 27 March 2023, 14:34

View original

2 replies

Userlevel 3
Badge +3

Hi @nithun_chand 

  1. Have you experienced any issues with your CS in other assessments, either within this module or in other modules?
  2. We have a document detailing CS exclusions. Please review it and check if there are any configurations you may have missed.

 

 

Shiraz

Product Manager

Cymulate

 

I have had some experience in our environment with this and reached out to Crowdstrike for clarification. Crowdstrike will only actively quarantine or block malicious files or hashes that are .exe or .dll. Any other files types/extensions, they will wait for the file to then be executed before they step in and take action (Ex: a .ps1 file will not get quarantined or blocked by CS but if this PowerShell file executes malicious code then they will jump in based on what is run). This also applies if you add hashes as an IOC for a file type that is not .exe or .dll. Crowdstrike will not block these as they will not see the hashes for these files.

Reply