This document and video will demonstrate how to use Real Time Response to access and remediate an endpoint with Falcon Insight. Real Time Response provides the tools to limit exposure, remediate systems, and protect the larger environment.
- Subscription: Falcon Insight
- Hosts Requirements:
- Windows Hosts
- All supported versions of Falcon sensor for Windows support Real Time Response. Falcon sensor for Windows version 4.22.8504 or later is required for the updates announced in the following release notes: Real Time Response – Expanded response & remediation capabilities; New access controls.
- PowerShell: 3.0 or later is recommended; at least 2.0 is required. PowerShell constrained language mode must not be enabled.
- .NET Framework: 4.5 or later is recommended; at least 3.5 is required.
- Policy Requirements: In order to perform Real Time Response on a Windows host, the target host must be in a group associated to a response policy that has Real Time Response enabled.
- Mac Hosts
- Falcon sensor for macOS version 5.13 and later support Real Time Response.
- Policy Requirements: None
- Windows Hosts
- User Role: Falcon users must have one of the three Real Time Responder roles to remotely connect to a host. The Falcon Administrator role does not include access to real time response by default. You must assign the appropriate role to each user that needs access to Real Time Response.
Establish the Session
In the Falcon UI, navigate to Activity > Detections. Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action.
You can also connect to a host from Hosts > Host Management.
Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.
- Navigate the file system and perform many file system operations
- Put and get files to and from the system to the CrowdStrike cloud
- Stage commonly used programs and powershell scripts
- Create supportability scripts as needed
- List running processes and kill processes
- Retrieve memory dumps, event logs, or any other files
- Show network connections
- Query, create, or modify registry keys
Edit and Run Scripts
In the Real Time Response session, you also have the option to edit and run scripts.
This gives you the option to write any script to be remotely executed on the remote system. In this example, the script will delete a persistence registry key and an unwanted user account.
Stage scripts and executables
As a real time response administrator, you also have the option to create and save scripts for repeated use. By opening the summary panel, you see all of the scripts and executables readily available for deployment within your organization.
By simply clicking on one of the stored scripts, it is moved to the command line where you can enter any additional parameters – in this case, a ticket number.
End the Session
After remediating the system in question and gathering any forensic evidence, you can close the session.
You will be prompted to confirm the session should be ended.
Real Time Response Policies
The default Real Time Response policy allows for basic functionality on managed endpoints. Falcon administrators can create and modify those policies to enable the right level of response actions as needed within the organization or for specific endpoint groups. Detailed documentation on Real Time Response policies is available in the Falcon UI.
Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below.
How to Contain an Infected System
Hi, there. My name’s Peter Ingebrigtsen. And today, we’ve logged into the falcon.crowdstrike.com, or the Falcon User Interface.
And what we’re going to do is take a look at some of our systems and recognize that some of them are either currently under attack or recently been under attack, and may have been compromised. And we’d like to contain that system until we can further get to it, get our hands on it, and get a little bit more information out of it, or just prevent it from doing any more damage than it’s already done.
In order to do that, you need to be on your Detections app. You can do that by going to the radar here on the left-hand side. If you’re not already, or if your user interface doesn’t open that when you first log in, head there. And then just select the Recent Detections.
When that opens, you’ll notice that you can filter by any number of criteria, but we’re looking at some of the more recent events or situations that are going on. And you’ll notice that the same single machine has noticed a lot of different scenarios with privilege escalation or web exploits. And these severities are high to critical.
And we’d like to log in there, maybe do a little something, take a little closer look, and see if there’s something we should do. Obviously, we should do something. And as we start to dig through here, we see that there’s a lot of detection patterns, whether that be known malware, credential theft, or web exploits. We can see in the process tree a lot of different commands that were issued that look at that privilege escalation that we noticed earlier– or start to set that up.
So, we know that there’s something bad going on, and we’d like to take action right away. So, what we want to do is network contain this machine. But what I want to show you, as well, is that as we do this– I’m going to go to the machine itself. And I’d like to start a continuous ping so that you can watch the behavior and how long it takes to respond to this network containment.
Now, while we contain this– or take this machine off the network– we don’t kill the connection to the CrowdStrike Cloud. So, that as we get our hands on it– we clean it up, we feel comfortable putting it back on to the network– we can still operate or control that machine through the user interface that we have here.
The other thing I’d like to do is start a large download, so that we initiate with a single TCP connection– and there happens to be one in process– as opposed to the ping, where there may be multiple TCP resets or individual TCP threads going every time. So that you can see that as we contain this machine, it literally just knocks it off the network.
Forgive my screen, but I’ve changed the resolution for YouTube and for appearance purposes.
But as I come in here– and this will be right at the middle of the screen– this actually says Device Actions. And I’d like to contain it.
Now, as we do that, we have some options to make some notes. Contained by Peter. Multiple threats observed. Whatever notes you’d like to make– and then select Contain.
Now, the second we do this, on the left-hand side, you’ll see how quickly it takes for that to respond. So, immediately, almost in real time, you see a network failure on the download, and the ping test– or the continuous ping fail. So, we can close that.
Now, let’s say we’re a couple days later, this machine’s cleaned up, ready to go, and be put back in the network. You can go ahead and lift the network containment, again, from the user interface. We still have that connection to the machine, even though all the other network connections have been terminated.
So, as we do that, all good. Uncontain. And you’ll notice that almost immediately that ping starts to fire right back up again.
So, network containment is a powerful tool that we can use if we see something immediately taking action or if we see something recently in the past, and we’d like to get that machine off the network– almost quarantine it– so that it can’t do any more damage.
So, this has been network containment of network devices in the Falcon Sensor User Interface platform. Thanks again for watching.