Team AXON has identified potential security gaps affecting CrowdStrike Falcon agents in MacOS environments, discovered during a recent threat-hunting campaign. This misconfiguration may leave systems exposed to undetected threats, and we are actively working to mitigate the risks.
Identified Issues: 1. Insufficient Disk Permissions: Hosts are missing the required permissions for the CrowdStrike Falcon agent to effectively access and monitor critical system files. This creates unmonitored areas within the endpoints, potentially allowing malicious activities to go unnoticed. Hunting Query: https://gist.github.com/axon-git/c4fd9440f1a071eaec0fdca5ebf99e02 - This query shows Agent IDs of hosts on which CrowdStrike Falcon's agent does not have required disk permissions
2. Missing Process Creation Data: Agents are not reporting process creation data, which is essential for detecting behavioral anomalies such as malware execution, privilege escalation, or lateral movement across the network. The absence of this data limits the agent's ability to effectively detect and respond to security threats.
This misconfiguration could enable attackers to evade detection, maintain persistence, and compromise the security of your organization’s systems.
Remediation Details: An Axon report containing a comprehensive summary of the investigation findings and immediate action recommendations is available in the portal: Axon Reports -> Axon Rapid Response - CrowdStrike Agent's Misconfiguration