One of the downsides to CrowdStrike is no on-demand scanning. On one hand you can see why, on the other, you have use cases that need it. You could potentially run two in parallel but it’s never a good idea to.
I did find that several customers ran Defender alongside CS purely for this reason however, in the same threads “issues” occurred. Rather than go down this route, I noticed that the Sandbox was fully functional via API. I had recently done the CS-MalQuery script but thought it didn’t offer a replacement. It needed more….
I had also created WolfHound in the past which tried to tailor to an Powershell AV however this worked more for DFIR rather than on demand scan. I also wanted to tailor it to be more “non” IT; not a lot noise.
CrowdStrike isn’t just a hash or IOC database so it wouldn’t be reliable to purely use this. The other problem was, malware is forever changing so it simply doesn’t work (comparing hashes). That being said, it does offer a “Quick” check, so I added it as an option:
It’s the Sandbox that’s the key!
The ability to execute the file will give a better understanding to if it’s malicious or not. This falls under Option 2. As with traditional scans, the more “In-depth” the scan is the longer it takes. It does however give a better insight and confidence.
The first step is to get the quota as it’s not unlimited. I didn’t want the user getting in trouble, so there is a check and display. If all good, get the file location and upload.
Once uploaded, the file gets submitted and the Sandbox runs…
Because it takes some time, I had the script output the Sandbox IDs to a file just incase the script ended to early (breaks, closed session or hung).
Once done, it will remind the user of the file and output the verdict (Per report):
It worth noting there is a lot to customize within this script as the environment can be tailored for the users need. Without this though, this should give you a potential “option” to run on-demand scans without too many hoops, nor having to provide portal access.
Add you client secret and CID. You need to be able to R/W sandbox and view IOC, Reports:
This is the environment options that you will need to edit. If left on default, it will use a Windows 7 host.
I’ve extracted the data and commented it at the top:
When running, you get two options. Regardless of which option it will ask for a file location. You can either select a single file, or a folder. I’ve not set to recurse so no sub folders will be scanned. If you are wanting this, add -recurse after $hfile.
For the sandbox, the logs are outputted here: C:\temp\Sandbox_API_IDs.txt. You can edit this at the top under # — Global — .
If you have any questions, or comments, feel free to contact me: firstname.lastname@example.org or @securethelogs
Leave a Reply