PostExploit Detection CrowdStrike Falcon #916
Comments
|
Hi @jamal-admin, sometimes some antivirus may lead to false-positives. The wakatime-cli has no exploit on it. |
|
Thanks @gandarez just part of our investigation before marking as a FP. Worth investigating if you can submit feedback to CrowdStrike to stop other users getting blocked by their Security/IT teams that don't report this. |
|
@alanhamlett would you help on this? We need to advise CrowdStrike that wakatime-cli is not an exploit. |
|
I've emailed their support, will update once I receive a reply. |
alanhamlett
changed the title
|
Received a response from CrowdStrike saying they've marked the file safe, and it's not showing up as flagged by CrowdStrike anymore on virustotal scan: |
Actual behavior (what went wrong):
ACTION TAKEN
Process blocked
SEVERITY
High
OBJECTIVE
Falcon Detection Method
TACTIC & TECHNIQUE
Malware via Malicious File
TECHNIQUE ID
CST0001
IOA NAME
PostExploit
IOA DESCRIPTION
A suspicious process related to a likely malicious file was launched. Review any binaries involved as they may be related to malware.
COMMAND LINE
/Users/redacted user name/.wakatime/wakatime-cli-darwin-arm64 --today --output json --plugin "vscode/1.81.1 vscode-wakatime/24.2.1"
FILE PATH
/Users/redacted user name/.wakatime/wakatime-cli-darwin-arm64
Environment:
The text was updated successfully, but these errors were encountered: