SENSOR DEPLOYMENT Flashcards by robert islas

What are the Windows OS requirements prior to installing the Falcon Sensor?

OS Requirements:

-Windows 7, 8.1, 10, 11

How well did you know this?

Not at all

Perfectly

What are the network protocols needed prior to installing the Falcon Sensor?

Network Protocols (2):

Falcon requires TLS 1.2 to communicate with CrowdStrike Cloud.
Requires Logon local audit policy to be “success and failure”

How well did you know this?

Not at all

Perfectly

Where in the Falcon console do you copy the CID/ Checksum?

-Copy customer ID checksum from Hosts > Sensor Downloads – It is Alphanumeric

How well did you know this?

Not at all

Perfectly

How to uninstall a Falcon Sensor on Windows?

Windows: Control Panel or CMD line

-Control Panel
Control Panel > uninstall a program > Choose Crowdstrike Windows Sensor

-CMD Line
** Download CSUinstallTool from Tool Downloads.

CMD w/ admin priv > CSUninstallTool.exe /quiet

How well did you know this?

Not at all

Perfectly

What default policies are required in order to prepare workloads for the Falcon Sensor?

Requires Local audit policy to have setting of “Success and Failure”**If actual policy setting does not match setting, sensor changes it
to match.
Registry key DNScache/Type must be set to 0x00000020 Microsoft default value.
**Windows Defender should be disabled

How well did you know this?

Not at all

Perfectly

What appropriate settings are needed to install a Falcon Sensor on Windows?

-Needs to be able to communicate with CrowdStrike FQDN and IP – may need networking to allow list and not block communication

Needs to have communication over port 443 with the CS Cloud during installation and ongoing.
Needs to communicate utilizing TLS 1.2 with the CS Cloud
Disable packet inspection or similar network configurations (HTTPS or TLS Inspection)

How well did you know this?

Not at all

Perfectly

What appropriate settings are needed to install a Falcon Sensor on Mac?

Needs to have elevated privileges in order to install the sensor on Mac

How well did you know this?

Not at all

Perfectly

What appropriate settings are needed to install a Falcon Sensor on Linux ?

-Needs to be Kernel specific to run the Falcon Sensor

**If a kernel is not listed in the guide, the sensor will still install, but will run in reduced functionality mode (RFM)

How well did you know this?

Not at all

Perfectly

How to do you apply additional options for images/VDI’s, tokens, and tags?

-Put image template system into read/write mode
- Install Falcon sensor using the VDI=1 parameter
- Complete all steps required to generalize VM template
– Install Falcon using NO_START=1 Parameter.

**After installation, sensor does not attempt to communicate with
CS Cloud.

How well did you know this?

Not at all

Perfectly

What issues can occur with the basic configuration requirements of the system environment or Falcon components?

-Host can’t communicate with CS Cloud

-The Falcon Sensor requires the host to have their CA certs in Trust Root CA store
**Check whether certs are present, download/import them if needed

How well did you know this?

Not at all

Perfectly

How to troubleshoot a Falcon Sensor installation on a Windows host?

-Check the Channel Files – additional sensor instructions that provide updated settings for policies, allowlists/blocklists, detection exclusions, support for new OS patches and more.

-Verify sensor is running: cmd admin priv > sc.exe query csagent

-verify sensor is connected to the CS Cloud: cmd > netstat.exe -f

How well did you know this?

Not at all

Perfectly

How to troubleshoot a Falcon Sensor installation on a Linux host?

-Install dependent packages: apt-get -f install

-Verify Sensor is Running: ps -e | grep -e falcon-sensor

-Verify sensor is connected to the CS Cloud: sudo netstat -tapn | grep galcon

How well did you know this?

Not at all

Perfectly

How to troubleshoot a Falcon Sensor installation on a Mac host?

Verify sensor is running and connected to the CS Cloud:

-sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

How well did you know this?

Not at all

Perfectly

Conduct root cause analysis related to system/ user issues

-DigicerthighassuranceRootCA cert must be in trusted Root CA Store

**Need Root Access to Host to do that

How well did you know this?

Not at all

Perfectly

What are the technical requirements required prior to installing the Falcon Sensor?

Services required:

-LMHosts
-Network Store Interface (NSI)
-Windows Base Filtering Engine (WBF)
-Windows Power Service (Power)

How well did you know this?

Not at all

Perfectly

Prior to installing the Falcon Sensor, Falcon’s NGAV setting needs to have…..

-Windows Defender DISABLED

How well did you know this?

Not at all

Perfectly

When happens when you install a sensor in a VDI environment?

When you install sensor in a VDI environment:

Sensor runs from a shared, read only OS image.

-CS Cloud assigns a unique AID based on host’s FQDN and other characteristics.

How well did you know this?

Not at all

Perfectly

Falcon sensor will install, but not run if any of the following services are disabled or stopped?

Sensor can install but not run if any of the following services that are disabled or stopped:
- LMHosts
- Windows Base Filtering engine
- DHCP Client
- DNS Client

How well did you know this?

Not at all

Perfectly

LM Hosts may be disabled on the host if the following service is disabled?

-TCP/IP NetBIOS Helper service is disabled

How well did you know this?

Not at all

Perfectly

How to verify the Falcon Sensor is connected to the CS Cloud?

Verify the sensor is connected to the CS Cloud (2 ways):
-Falcon Console – Use Sensor Report

   -Host – cmd admin priv > run

How well did you know this?

Not at all

Perfectly

If host can’t connect to CS Cloud, check if…..

If Host can’t connect to CS Cloud, check if:

-Host can connect to internet,
-Verify proxy configuration
-Configure endpoint FW to permit traffic to/from Falcon sensor
-Verify that the host’s LMHost service is enabled
-Verify host trusts CS CA

How well did you know this?

Not at all

Perfectly

The Falcon Sensor requires host to have which CA certs in Trust Root CA store?

Falcon sensor requires host to have (2):
-DigiCertHigh AssurancerootCA

-DigiCertAssuredIDRootCA

**Both certs need to be in Trust Root CA Store

How well did you know this?

Not at all

Perfectly

What steps are taken in order to add CS CA’s are present on host?

-Microsoft Management Console > follow Microsoft documentation to enable Certificates snap-in.

How well did you know this?

Not at all

Perfectly

What happens when the Falcon Sensor installs on a Windows Host?

-Sensor installer uses standard Windows installer mechanism to set up Falcon’s sensor files and registry keys.

-If using installation tokens, CS cloud checks installer’s token

-Sensor contacts CS Cloud, which assigns the AID (Agent ID) for the host.

What should be examined when conducting a root cause analysis related to system/ user issues?

- Must run installation with admin privileges - Look for CID being incorrect - Windows BFE can not be present/damaged - GUID of previous install can’t be removed

What is the most common problem that occurs when installing the Falcon Sensor?

Most common problem: -Communication between host and the CS Cloud

What is needed to whitelist CrowdStrike Endpoints?

Need to whitelist CrowdStrike Endpoints: - Ensure Port 443 is open for 2 endpoints - Cert Pinning/SSL Inspection must be DISABLED – all Falcon traffic must be whitelisted from SSL Inspection.

If the windows host is using a proxy, what other service needs to be available?

-Win HTTP Auto Proxy

If the windows host is using Web Proxy Automatic Discover, what service also needs to be running?

-DHCP

What port does the host need to be able to the CS Cloud on?

-Hosts must be connected to CS Cloud on port 443 during installation **must allow traffic to and from CS Cloud FQDNs/IP Addresses

How long does it take for a host to connect to the CS cloud through installation?

-10 minutes **When the sensor cant connect to the cloud, it also takes 10 mins to it to re-establish a connection

what is the PS command to disable windows defender?

Set-MpPreference -DisableRealtimeMonitoring $True

What happens the second time if the sensor cant connect to the cloud?

-The sensor will uninstall from the system & exit the installer

What is the command to determine the Linux kernel version?

uname -r

What does the falcon sensor use to defend against man-in-the middle attacks?

Certificate pinning

When the sensor is installed, the sensor is configured with what 2 policies?

- prevention policy -sensor update policy

What are sensor tags?

enable the user to categorize sensor enabled hosts by location, environment, purpose, etc **can be assigned after confirmation that falcon sensor has been installed

What does the sensor is installed what connection stays permanently open?

-After agent installation, agent opens permanent TLS connection over port 443 and keeps connection open until endpoint is turned off or if the network connection is terminated. **Might need allow TLS Traffic on port 443 between internal network and cloud’s network addresses

What does the sensor is installed what connection stays permanently open?

Where do customized sensor tags show up in the falcon console?

-falcon menu> host management

Which 2 methods can the Falcon Sensor be installed on a Windows host?

Can install Falcon sensor for Windows using either -GUI -automated command line installation

what commands installs the sensor on a linux host?

sudo /opt/crowdstrike/falconCH -s –cid=

what commands installs the sensor on a linux host?

sudo /opt/crowdstrike/falconCH -s –cid=

What adds support for Linux kernels through channel files w/out requiring a sensor update?

Zero Touch Linux (ZTL)

Where on the Falcon Console can you download the sensor?

-Hosts > Sensor Downloads

What is required to deploy falcon to Mac systems?

-MDM (mobile device management) solution to distribute the profile to endpoints prior to the sensor deployment process

What happens if you don’t use an MDM solution?

-multiple confirmations occur on the host and must manually be approved

How to use an MDM to configure profiles?

-Falcon menu>host setup and management>deploy>sensor downloads>locate sensor installer for Mac>click download>copy customer CCID or checksum Cmd line> sudo installer -verboseR -package -target />enter admin creds>run cmd falconctl

Which methods run the sensor installer on a Mac device?

-double click the .pkg file -cmd line sudo installer -verboseR -package -target /

How does the falcon sensor stop breaches?

Unifies: -Next gen antivirus -Endpoint protection and response (EDR) -Managed threat hunting -Threat intelligence automation using a single lightweight sensor

How long should sensor installation take to install sensors on all hosts?

-45 days

How to install sensors automatically?

Falcon main menu> host setup and management> deploy> sensor downloads> locate sensor installer for OS>> copy ID checksum or CCID> run your deployment tool to use this cmd: /install /quiet /norestart CID=

What are some automatic installation best practices?

-Conduct manual sensor test installations first -Adjust and test the cmd line aspects -Finalize the string that makes the installation work properly

What command validates that a sensor is running on a host?

-sc.exe query csagent

What is beneficial about installing sensors manually?

-Best for small number of sensor installations

Sensors are installed 2 different ways. What are they?

-Manual -automatic

How to install sensors manually?

Falcon main menu> host setup and management> deploy> sensor downloads>locate sensor installer for OS> copy ID checksum or CCID> double click .pkg file> accept license agreements and input checksum/ccid> yes to allow installation>

What is beneficial about installing sensors automatically?

-Best for large number of installations