SENSOR DEPLOYMENT Flashcards
What are the Windows OS requirements prior to installing the Falcon Sensor?
OS Requirements:
-Windows 7, 8.1, 10, 11
What are the network protocols needed prior to installing the Falcon Sensor?
Network Protocols (2):
- Falcon requires TLS 1.2 to communicate with CrowdStrike Cloud.
- Requires Logon local audit policy to be “success and failure”
Where in the Falcon console do you copy the CID/ Checksum?
-Copy customer ID checksum from Hosts > Sensor Downloads – It is Alphanumeric
How to uninstall a Falcon Sensor on Windows?
Windows: Control Panel or CMD line
-Control Panel
Control Panel > uninstall a program > Choose Crowdstrike Windows Sensor
-CMD Line
** Download CSUinstallTool from Tool Downloads.
CMD w/ admin priv > CSUninstallTool.exe /quiet
What default policies are required in order to prepare workloads for the Falcon Sensor?
- Requires Local audit policy to have setting of “Success and Failure”**If actual policy setting does not match setting, sensor changes it
to match. - Registry key DNScache/Type must be set to 0x00000020 Microsoft default value.
**Windows Defender should be disabled
What appropriate settings are needed to install a Falcon Sensor on Windows?
-Needs to be able to communicate with CrowdStrike FQDN and IP – may need networking to allow list and not block communication
- Needs to have communication over port 443 with the CS Cloud during installation and ongoing.
- Needs to communicate utilizing TLS 1.2 with the CS Cloud
- Disable packet inspection or similar network configurations (HTTPS or TLS Inspection)
What appropriate settings are needed to install a Falcon Sensor on Mac?
Needs to have elevated privileges in order to install the sensor on Mac
What appropriate settings are needed to install a Falcon Sensor on Linux ?
-Needs to be Kernel specific to run the Falcon Sensor
**If a kernel is not listed in the guide, the sensor will still install, but will run in reduced functionality mode (RFM)
How to do you apply additional options for images/VDI’s, tokens, and tags?
-Put image template system into read/write mode
- Install Falcon sensor using the VDI=1 parameter
- Complete all steps required to generalize VM template
– Install Falcon using NO_START=1 Parameter.
**After installation, sensor does not attempt to communicate with
CS Cloud.
What issues can occur with the basic configuration requirements of the system environment or Falcon components?
-Host can’t communicate with CS Cloud
-The Falcon Sensor requires the host to have their CA certs in Trust Root CA store
**Check whether certs are present, download/import them if needed
-
How to troubleshoot a Falcon Sensor installation on a Windows host?
-Check the Channel Files – additional sensor instructions that provide updated settings for policies, allowlists/blocklists, detection exclusions, support for new OS patches and more.
-Verify sensor is running: cmd admin priv > sc.exe query csagent
-verify sensor is connected to the CS Cloud: cmd > netstat.exe -f
How to troubleshoot a Falcon Sensor installation on a Linux host?
-Install dependent packages: apt-get -f install
-Verify Sensor is Running: ps -e | grep -e falcon-sensor
-Verify sensor is connected to the CS Cloud: sudo netstat -tapn | grep galcon
How to troubleshoot a Falcon Sensor installation on a Mac host?
Verify sensor is running and connected to the CS Cloud:
-sudo /Applications/Falcon.app/Contents/Resources/falconctl stats
Conduct root cause analysis related to system/ user issues
-DigicerthighassuranceRootCA cert must be in trusted Root CA Store
**Need Root Access to Host to do that
What are the technical requirements required prior to installing the Falcon Sensor?
Services required:
-LMHosts
-Network Store Interface (NSI)
-Windows Base Filtering Engine (WBF)
-Windows Power Service (Power)
Prior to installing the Falcon Sensor, Falcon’s NGAV setting needs to have…..
-Windows Defender DISABLED
When happens when you install a sensor in a VDI environment?
When you install sensor in a VDI environment:
- Sensor runs from a shared, read only OS image.
-CS Cloud assigns a unique AID based on host’s FQDN and other characteristics.
Falcon sensor will install, but not run if any of the following services are disabled or stopped?
Sensor can install but not run if any of the following services that are disabled or stopped:
- LMHosts
- Windows Base Filtering engine
- DHCP Client
- DNS Client
LM Hosts may be disabled on the host if the following service is disabled?
-TCP/IP NetBIOS Helper service is disabled
How to verify the Falcon Sensor is connected to the CS Cloud?
Verify the sensor is connected to the CS Cloud (2 ways):
-Falcon Console – Use Sensor Report
-Host – cmd admin priv > run
If host can’t connect to CS Cloud, check if…..
If Host can’t connect to CS Cloud, check if:
-Host can connect to internet,
-Verify proxy configuration
-Configure endpoint FW to permit traffic to/from Falcon sensor
-Verify that the host’s LMHost service is enabled
-Verify host trusts CS CA
The Falcon Sensor requires host to have which CA certs in Trust Root CA store?
Falcon sensor requires host to have (2):
-DigiCertHigh AssurancerootCA
-DigiCertAssuredIDRootCA
**Both certs need to be in Trust Root CA Store
What steps are taken in order to add CS CA’s are present on host?
-Microsoft Management Console > follow Microsoft documentation to enable Certificates snap-in.
What happens when the Falcon Sensor installs on a Windows Host?
-Sensor installer uses standard Windows installer mechanism to set up Falcon’s sensor files and registry keys.
-If using installation tokens, CS cloud checks installer’s token
-Sensor contacts CS Cloud, which assigns the AID (Agent ID) for the host.
What should be examined when conducting a root cause analysis related to system/ user issues?
- Must run installation with admin privileges
- Look for CID being incorrect
- Windows BFE can not be present/damaged
- GUID of previous install can’t be removed
What is the most common problem that occurs when installing the Falcon Sensor?
Most common problem:
-Communication between host and the CS Cloud
What is needed to whitelist CrowdStrike Endpoints?
Need to whitelist CrowdStrike Endpoints:
- Ensure Port 443 is open for 2 endpoints
- Cert Pinning/SSL Inspection must be DISABLED – all Falcon
traffic must be whitelisted from SSL Inspection.
If the windows host is using a proxy, what other service needs to be available?
-Win HTTP Auto Proxy
If the windows host is using Web Proxy Automatic Discover, what service also needs to be running?
-DHCP
What port does the host need to be able to the CS Cloud on?
-Hosts must be connected to CS Cloud on port 443 during
installation
**must allow traffic to and from CS Cloud FQDNs/IP Addresses
How long does it take for a host to connect to the CS cloud through installation?
-10 minutes
**When the sensor cant connect to the cloud, it also takes 10 mins to it to re-establish a connection
what is the PS command to disable windows defender?
Set-MpPreference -DisableRealtimeMonitoring $True
What happens the second time if the sensor cant connect to the cloud?
-The sensor will uninstall from the system & exit the installer
What is the command to determine the Linux kernel version?
uname -r
What does the falcon sensor use to defend against man-in-the middle attacks?
Certificate pinning
When the sensor is installed, the sensor is configured with what 2 policies?
- prevention policy
-sensor update policy
What are sensor tags?
enable the user to categorize sensor enabled hosts by location, environment, purpose, etc
**can be assigned after confirmation that falcon sensor has been installed
What does the sensor is installed what connection stays permanently open?
-After agent installation, agent opens permanent TLS
connection over port 443 and keeps connection open until endpoint is turned off or if the network connection is
terminated.
**Might need allow TLS Traffic on port 443
between internal network and cloud’s network addresses
What does the sensor is installed what connection stays permanently open?
-After agent installation, agent opens permanent TLS
connection over port 443 and keeps connection open until endpoint is turned off or if the network connection is
terminated.
**Might need allow TLS Traffic on port 443
between internal network and cloud’s network addresses
Where do customized sensor tags show up in the falcon console?
-falcon menu> host management
Which 2 methods can the Falcon Sensor be installed on a Windows host?
Can install Falcon sensor for Windows using either
-GUI
-automated command line installation
what commands installs the sensor on a linux host?
sudo /opt/crowdstrike/falconCH -s –cid=<CID></CID>
what commands installs the sensor on a linux host?
sudo /opt/crowdstrike/falconCH -s –cid=<CID></CID>
What adds support for Linux kernels through channel files w/out requiring a sensor update?
Zero Touch Linux (ZTL)
Where on the Falcon Console can you download the sensor?
-Hosts > Sensor Downloads
What is required to deploy falcon to Mac systems?
-MDM (mobile device management) solution to distribute the profile to endpoints prior to the sensor deployment process
What happens if you don’t use an MDM solution?
-multiple confirmations occur on the host and must manually be approved
How to use an MDM to configure profiles?
-Falcon menu>host setup and management>deploy>sensor downloads>locate sensor installer for Mac>click download>copy customer CCID or checksum
Cmd line> sudo installer -verboseR -package <installer_filename> -target />enter admin creds>run cmd falconctl</installer_filename>
Which methods run the sensor installer on a Mac device?
-double click the .pkg file
-cmd line
sudo installer -verboseR -package <installer_filename> -target /</installer_filename>
How does the falcon sensor stop breaches?
Unifies:
-Next gen antivirus
-Endpoint protection and response (EDR)
-Managed threat hunting
-Threat intelligence automation using a single lightweight sensor
How long should sensor installation take to install sensors on all hosts?
-45 days
How to install sensors automatically?
Falcon main menu> host setup and management> deploy> sensor downloads> locate sensor installer for OS» copy ID checksum or CCID> run your deployment tool to use this cmd: <Installer_Filename> /install /quiet /norestart CID=<CCID></CCID></Installer_Filename>
What are some automatic installation best practices?
-Conduct manual sensor test installations first
-Adjust and test the cmd line aspects
-Finalize the string that makes the installation work properly
What command validates that a sensor is running on a host?
-sc.exe query csagent
What is beneficial about installing sensors manually?
-Best for small number of sensor installations
Sensors are installed 2 different ways. What are they?
-Manual
-automatic
How to install sensors manually?
Falcon main menu> host setup and management> deploy> sensor downloads>locate sensor installer for OS> copy ID checksum or CCID> double click .pkg file> accept license agreements and input checksum/ccid> yes to allow installation>
What is beneficial about installing sensors automatically?
-Best for large number of installations
