-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PostExploit Detection CrowdStrike Falcon #916
Comments
Hi @jamal-admin, sometimes some antivirus may lead to false-positives. The wakatime-cli has no exploit on it. |
Thanks @gandarez just part of our investigation before marking as a FP. Worth investigating if you can submit feedback to CrowdStrike to stop other users getting blocked by their Security/IT teams that don't report this. |
@alanhamlett would you help on this? We need to advise CrowdStrike that wakatime-cli is not an exploit. |
I've emailed their support, will update once I receive a reply. |
Received a response from CrowdStrike saying they've marked the file safe, and it's not showing up as flagged by CrowdStrike anymore on virustotal scan: |
Actual behavior (what went wrong):
ACTION TAKEN
Process blocked
SEVERITY
High
OBJECTIVE
Falcon Detection Method
TACTIC & TECHNIQUE
Malware via Malicious File
TECHNIQUE ID
CST0001
IOA NAME
PostExploit
IOA DESCRIPTION
A suspicious process related to a likely malicious file was launched. Review any binaries involved as they may be related to malware.
COMMAND LINE
/Users/redacted user name/.wakatime/wakatime-cli-darwin-arm64 --today --output json --plugin "vscode/1.81.1 vscode-wakatime/24.2.1"
FILE PATH
/Users/redacted user name/.wakatime/wakatime-cli-darwin-arm64
Environment:
The text was updated successfully, but these errors were encountered: