译安 | CrowdStrike发布最新技术细节，具体原因仍在调查

What Happened? 发生了什么事？

On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems.

2024 年 7 月 19 日 04：09 UTC，作为持续运营的一部分，CrowdStrike 发布了 Windows 系统的传感器配置更新。传感器配置更新是猎鹰平台保护机制的持续组成部分。此配置更新触发了逻辑错误，导致受影响系统崩溃和蓝屏 （BSOD）。

The sensor configuration update that caused the system crash was remediated on Friday, July 19, 2024 05:27 UTC.

导致系统崩溃的传感器配置更新已于 2024 年 7 月 19 日星期五 05：27 UTC 进行了修复。

This issue is not the result of or related to a cyberattack.

此问题不是网络攻击的结果，也不是与网络攻击有关。

Impact 影响

Customers running Falcon sensor for Windows version 7.11 and above, that were online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC, may be impacted.

在 2024 年 7 月 19 日星期五 04：09 UTC 和 2024 年 7 月 19 日星期五 05：27 UTC 之间在线运行 Falcon 传感器 Windows 版本 7.11 及更高版本的客户可能会受到影响。

Systems running Falcon sensor for Windows 7.11 and above that downloaded the updated configuration from 04:09 UTC to 05:27 UTC – were susceptible to a system crash.

运行适用于 Windows 7.11 及更高版本的 Falcon 传感器的系统从 04：09 UTC 下载了更新的配置至 05：27 UTC – 容易受到系统崩溃的影响。

Configuration File Primer 配置文件底稿

The configuration files mentioned above are referred to as “Channel Files” and are part of the behavioral protection mechanisms used by the Falcon sensor. Updates to Channel Files are a normal part of the sensor’s operation and occur several times a day in response to novel tactics, techniques, and procedures discovered by CrowdStrike. This is not a new process; the architecture has been in place since Falcon’s inception.

上面提到的配置文件被称为“通道文件”，是猎鹰传感器使用的行为保护机制的一部分。频道文件的更新是传感器操作的正常部分，每天会发生几次，以响应 CrowdStrike 发现的新策略、技术和程序。这不是一个新过程;该架构自方垦成立以来就已经到位。

Technical Details 技术细节

On Windows systems, Channel Files reside in the following directory:

在 Windows 系统上，通道文件位于以下目录中：

C:WindowsSystem32driversCrowdStrike

and have a file name that starts with “C-”. Each channel file is assigned a number as a unique identifier. The impacted Channel File in this event is 291 and will have a filename that starts with “C-00000291-” and ends with a .sys extension. Although Channel Files end with the SYS extension, they are not kernel drivers

并且文件名以“ C- ”开头。每个通道文件都分配一个编号作为唯一标识符。此事件中受影响的频道文件为 291，其文件名以“ C-00000291- ”开头， .sys 以扩展名结尾。尽管 Channel Files 以 SYS 扩展名结尾，但它们不是内核驱动程序.

Channel File 291 controls how Falcon evaluates named pipe1 execution on Windows systems. Named pipes are used for normal, interprocess or intersystem communication in Windows.

通道文件 291 控制 Falcon 如何在 Windows 系统上评估命名管道 1 执行。命名管道用于 Windows 中的正常通信、进程间通信或系统间通信。

The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks. The configuration update triggered a logic error that resulted in an operating system crash.

UTC 时间 04：09 发生的更新旨在针对常见 C2 框架在网络攻击中使用的新观察到的恶意命名管道。配置更新触发了导致操作系统崩溃的逻辑错误。

Channel File 291 通道文件 291

CrowdStrike has corrected the logic error by updating the content in Channel File 291. No additional changes to Channel File 291 beyond the updated logic will be deployed. Falcon is still evaluating and protecting against the abuse of named pipes.

CrowdStrike 已通过更新频道文件 291 中的内容更正了逻辑错误。除了更新的逻辑之外，不会对通道文件 291 进行任何其他更改。Falcon 仍在评估和防止滥用命名管道。

This is not related to null bytes contained within Channel File 291 or any other Channel File.

这与频道文件 291 或任何其他频道文件中包含的 null 字节无关。

Remediation 修复

The most up-to-date remediation recommendations and information can be found on our blog or in the Support Portal.

最新的补救建议和信息可以在我们的博客或支持门户中找到。

We understand that some customers may have specific support needs and we ask them to contact us directly.

我们理解某些客户可能有特定的支持需求，我们要求他们直接与我们联系。

Systems that are not currently impacted will continue to operate as expected, continue to provide protection, and have no risk of experiencing this event in the future.

当前未受影响的系统将继续按预期运行，继续提供保护，并且将来不会遇到此事件的风险。

Systems running Linux or macOS do not use Channel File 291 and were not impacted.

运行 Linux 或 macOS 的系统不使用通道文件 291，因此不受影响。

Root Cause Analysis 根本原因分析

We understand how this issue occurred and we are doing a thorough root cause analysis to determine how this logic flaw occurred. This effort will be ongoing. We are committed to identifying any foundational or workflow improvements that we can make to strengthen our process. We will update our findings in the root cause analysis as the investigation progresses.

我们了解此问题是如何发生的，并且正在进行彻底的根本原因分析，以确定此逻辑缺陷是如何发生的。这项工作将持续进行。我们致力于确定我们可以进行的任何基础或工作流程改进，以加强我们的流程。随着调查的进行，我们将在根本原因分析中更新我们的发现。

原文始发于微信公众号（Eonian Sharp）：译安 | CrowdStrike发布最新技术细节，具体原因仍在调查