TR-87 - CrowdStrike Agent causing BSOD loop on Windows - Faulty Update on Falcon Sensor

TR-87 - CrowdStrike Agent causing BSOD loop on Windows - Faulty Update on Falcon Sensor

Back to Publications and Presentations

  1. Vulnerable Version And Products
  2. Fixes and workaround
  3. Detection and investigative assessment (before the latest patch/release from CrowdStrike)
  4. CrowdStrike-themed malware/phishing campaigns
  5. Known affected software in Luxembourg
  6. References
  7. Classification of this document
  8. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

CrowdStrike Agent causing BSOD loop on Windows - Faulty Update on Falcon Sensor.

Vulnerable Version And Products

  • Latest version of CrowdStrike Falcon Agent on Windows

Fixes and workaround

  • Boot Windows into Safe Mode or the Windows Recovery Environment
  • Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
  • Locate the file matching C-00000291*.sys, and delete it.
  • Boot the host normally.

We received reports that only the Windows Recovery Environment mode works, as the driver still seems to be loaded in safe mode.

Detection and investigative assessment (before the latest patch/release from CrowdStrike)

  • Windows system stuck in a boot loop. There is a blue screen where the mention is “What failed: csagent.sys”.

The “buggy” driver has the following hashes:

  • MD5 - 1618cd13c5263720ec958c3b24b9d1c8
  • SHA-1 - cb8a27c7347d19bc0b23093a99816dfd8240dbc5
  • SHA-256 - ad492bc8b884f9c9a5ce0c96087e722a2732cdb31612e092cdbf4a9555b44362
  • SSDEEP - 384:bIy44Wo45c59r/qQqu1QhSn88MyU64guxkP5O84VLv8xB0+Cn:9495c59rSQBG8CJxfexBl0

  • TLSH - T1EF03B83AFA108F99D071C0F7D9370B9EB394AD9C2B8257A37A5DBB3D48B55180DC046A

  • Virustotal reference
  • MISP event with the “buggy” file available in the MISP OSINT feed

CrowdStrike-themed malware/phishing campaigns

There are ongoing CrowdStrike-themed malware/phishing campaigns such as this malware sample using fake updates..

Known affected software in Luxembourg

  • Impact currently unknown in Luxembourg but impact seen at least in US, Australia and India.

References

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:CLEAR - First version - 19th July 2024
  • Version 1.1 - TLP:CLEAR - Recovery versus safe mode from users + clarification of the BSOD - 19th July 2024
  • Version 1.2 - TLP:CLEAR - IOC of the buggy driver added + MISP reference - 19th July 2024
  • Version 1.3 - TLP:CLEAR - Updated TR after the CrowdStrike updates - 20th July 2024
  • Version 1.4 - TLP:CLEAR - CrowdStrike-themed malware/phishing campaigns - 21st July 2024
  • Version 1.5 - TLP:CLEAR - Learning from the recent outage reference added - 23rd July 2024