Technical Details on Today’s Outage
A defect was discovered in Channel 291
The company, in its Saturday technical blog post, stated that a defect was found in Channel 291, a file stored in a directory named “C:WindowsSystem32driversCrowdStrike” and with a filename starting with “C-00000291-” and ending with “.sys” [1]. Despite the file’s location and name, the file is not a Windows kernel driver, according to CrowdStrike [2].
About Channel File 291
Channel File 291 is used to transmit sensor information from the Falcon sensor regarding “named pipe” execution to pass evaluations. Windows systems utilize named pipes for interprocess or intersystem communication [3]. While these pipes themselves do not present a threat, they can be exploited to facilitate malicious activity.
The Purpose of the Recent Update
At 04:09 UTC, the update occurred. The purpose of the update was designed to counter newly observed malicious named pipes, which are commonly used in C2 command and control frameworks, the blog post explained [4]. This type of malicious activity poses a potential threat to Windows systems, just like other types of C2.
A Explanation of Named Pipes and Command and Control Frameworks
Named pipes are utilized in the Windows operating system to provide an interface for processes, within the same system, or with processes in other systems to facilitate bidirectional communication. While, like Windows sockets, named pipes support standard IO operations, they offer further attributes, such as the possibility for read/ write operations, and provide asynchronous mode for read/writeresult operations [5].
When it comes to cybercrime attacks, command and control frameworks allow attackers to control remote exploited targets. These frameworks create secure paths for attackers to send malicious codes remotely and receive reports. However, these frameworks often incorporate several components, including domain information that is used by a single controller to manage an unknown group of compromised systems [6].
Conclusion
CrowdStrike revealed a defect in Channel 291. An analysis of the file found a mismatch between the file name and actual functions. The file utilized was identified as a named pipe evaluator file. The update intended to safeguard newly observed malicious named pipes for enhanced security.
FAQs
| Q: What was the primary source of the recent update? | A: A newly identified flaw in Channel 291 file system. |
| Q: Was the file a Windows kernel driver? | A: According to CrowdStrike, the file was not a Windows kernel driver despite its location and name. |
| Q: What were named pipes used for in Windows operating system? | A: Named pipes facilitated communication among processes within the same system and those in other systems, with operations, such as read, write and reading/writing with respect to asynchronous mode, the potential for read, writing the capability to read and the right, and the capability of a nameless pipe. |
| Q: Was the update designed for command control frameworks? | A: The update’s design was to counteract named pipe malicious activity from popular cybercrime command control frameworks in addition to other types of malicious threats |
