How to Remotely Remediate an Incident

Introduction

This document and video will demonstrate how to use Real Time Response to access and remediate an endpoint with Falcon Insight. Real Time Response provides the tools to limit exposure, remediate systems, and protect the larger environment.

Video

Prerequisites

  • Subscription: Falcon Insight
  • Hosts Requirements:
    • Windows Hosts
      • All supported versions of Falcon sensor for Windows support Real Time Response. Falcon sensor for Windows version 4.22.8504 or later is required for the updates announced in the following release notes: Real Time Response – Expanded response & remediation capabilities; New access controls.
      • PowerShell: 3.0 or later is recommended; at least 2.0 is required. PowerShell constrained language mode must not be enabled.
      • .NET Framework: 4.5 or later is recommended; at least 3.5 is required.
      • Policy Requirements: In order to perform Real Time Response on a Windows host, the target host must be in a group associated to a response policy that has Real Time Response enabled.
    • Mac Hosts
      • Falcon sensor for macOS version 5.13 and later support Real Time Response.
      • Policy Requirements: None
  • User Role: Falcon users must have one of the three Real Time Responder roles to remotely connect to a host. The Falcon Administrator role does not include access to real time response by default. You must assign the appropriate role to each user that needs access to Real Time Response.

rtr role list

Establish the Session

In the Falcon UI, navigate to Activity > Detections.  Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action.

detection connect to host

You can also connect to a host from Hosts > Host Management.

Remediate - connect to host

Remediation Options

Run Commands

Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.

  • Navigate the file system and perform many file system operations
  • Put and get files to and from the system to the CrowdStrike cloud
  • Stage commonly used programs and powershell scripts 
  • Create supportability scripts as needed
  • List running processes and kill processes
  • Retrieve memory dumps, event logs, or any other files
  • Show network connections
  • Query, create, or modify registry keys

rtr command list

Edit and Run Scripts

In the Real Time Response session, you also have the option to edit and run scripts.

rtr edit button

 

This gives you the option to write any script to be remotely executed on the remote system. In this example, the script will delete a persistence registry key and an unwanted user account.

rtr script

Stage scripts and executables

As a real time response administrator, you also have the option to create and save scripts for repeated use. By opening the summary panel, you see all of the scripts and executables readily available for deployment within your organization.

rtr panel

 

By simply clicking on one of the stored scripts, it is moved to the command line where you can enter any additional parameters – in this case, a ticket number.

rtr runscript option

End the Session

After remediating the system in question and gathering any forensic evidence, you can close the session.

rtr close

 

You will be prompted to confirm the session should be ended.

rtr close prompt

Real Time Response Policies

The default Real Time Response policy allows for basic functionality on managed endpoints. Falcon administrators can create and modify those policies to enable the right level of response actions as needed within the organization or for specific endpoint groups. Detailed documentation on Real Time Response policies is available in the Falcon UI.

Conclusion

Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial