Crowdstrike falcon can prevent the installation and function of a Sensitive Command Token by detecting it as a

"Persistence via Image File Execution Options Injection" technique.

 

 

If user notifications are enabled, this can show up as on the desktop as the below popup, when importing the registry key.

 

 

Or as a recent detection in your activity dashboard:

 

 

Exclusions can understandably go against an organisations security posture, it's therefore worth considering how this exclusion falls into place when it comes to your Token deployment.

Consider the below points:

• The exclusion is only required for the initial Token deployment and can be removed once added to a hosts registry.
• Be as specific as possible
• It can take up to 40 minutes for an exclusion to take effect.

Step 1:

Head over to your host and select the unresolved detection.

Step 3:

Complete the form with appropriate entries.

1. Enter the host group you'd like to deploy the Token to.

2. Enter a descriptive name for your exclusion.

Entries 3,4,5 and 6 will be pre-completed.

 

A note on entry 5: This value will be unique to your deployment.

Consider using wild card entries within this string to cater for bulk deployments.

For example, using a wild card within the username field will exempt the Token across multiple user's and their machines.

Example:

"regedit\.exe"\s+".*\\Users\\user1\\Desktop\\my_token\.reg"

When complete click the "next" button.

Step 4:

You will now be presented with a review of the recent detections your exclusion would have covered.

Click on the "create exclusion" button.

You'll be prompted to note that changes can take up to 40 minutes.

Click on the "confirm and create" button to proceed.

Step 5:

Your IOA exclusion is now viewable from the hosts group menu.

You're done! ;-)