Error The handle is invalid.

[sarathkumar21]

C:\temp> runscript -CloudFile="SAFE: Falcon CAST Windows Scanner" -CommandLine=""

Note: .\cast scan -maxmem 50000000 -recursion 0 C:\

03:22:02 scan error: C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\ProjectTemplatesCache\CloudFormationTemplateProject.zip read C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\ProjectTemplatesCache\CloudFormationTemplateProject.zip: The handle is invalid.

Windows Cast scanner exits

[sarathkumar21]

Any update on this, please?

[bk-cs]

#6

This is not an issue with CAST, and is related to a change to the target file during the scan.

[STmann1]

I am also seeing the same issue.
The scan kicked off, spits out an error "...scan error: C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\ItemTemplatesCache\VisualBasic\General\1033\PreTextTemplate.VisualBasic.zip read"

1. scan stops.
2. no json file is produced.

[rbcrwd]

The tool is not guaranteed to produce JSON if it has no findings. Please upload a copy of that precise file and I'll attempt to reproduce.

[STmann1]

shared the files with you.
Appreciate the help.

[rbcrwd]

@STmann1 I got the link to the private repo you made, and while I'd prefer the ZIP files just be attached to this bug, please at least upload them to that repo. You've pre-extracted them, which makes debugging the ZIP handling a little pointless.

[rbcrwd]

I've re-validated in the code, the "scan error: " printout does not terminate processing; no errors do, we go out of our way to continue scanning despite any errors.

We'll still try to get to the bottom of this error with this archive, but as written it is non-terminal. That does not exclude events like antivirus/antimalware killing the process.

[STmann1]

I am not able to upload the zip files into github. Every time I try, it un unarchives it.

I can tell you that cast.exe terminates when that error occurs. Would really be surprised if the crowdstrike falcon agent is doing this.

[rbcrwd]

It's highly unlikely to be Falcon since part of our build process adds the binaries to the known-good corpus. Are you also running MS Defender, or any other AV? Would you also please post a screenshot of the prompt-to-prompt (or at least the final lines) output of CAST as well as its exit code so we can confirm it's terminating abnormally?

Finally - one trivial trick to prevent automated unwrapping of ZIP files is to password-protect them with something trivial, like infected.

[STmann1]

I have uploaded the error and zip files with password.
Hoping you can figure out why are we seeing issues with this.

[rbcrwd]

@STmann1 I opened a ticket in the repo you shared detailing the issues with the submission, since I don't have another way to DM you.

Either way, please try to reproduce with v0.6.3. I'm starting to suspect that your file may actually be a directory - we'd allowed those to pass through to scanning code because errors didn't matter, but it's produced a lot of confusion so we are filtering off directories now.

[STmann1]

version 0.6.3 works much better.
I have sent you my contact info.
Questions

1. How can you run this on mass and get the results (regardless if it found anything or not) in a single location?
2. How can you scan all drives? what is the switch for that?

[bk-cs]

You can use Humio Community Edition as a way to consolidate the logs.

This repository contains various PowerShell scripts designed to work with CrowdStrike Falcon Real-time Response and Workflows using the script file and accompanying input and output Json files.

The run_cli_tool script will output the results of a cast.exe scan into a temporary directory, and the send_log script will collect files from that directory and send them to Humio.

If you have Falcon Insight and Real-time Response, you can create a custom IOA that watches for Json files in the temporary Rtr directory that is used by run_cli_tool.

Custom IOA

• Rule Type: File Creation
• File Path: .*\\windows\\system32\\drivers\\crowdstrike\\rtr\\.*\.json
• File Type: Other

The general Real-time Response workflow would look like this:

put cast.exe
runscript -CloudFile="run_cli_tool" -CommandLine=```'{"Path":"C:\\cast.exe","ArgumentList":"scan C:\\","Delete":true}'```

Once the json file is written to that directory, the IOA will trigger (assuming the IOA has been properly assigned and applied to the device). You can use a Workflow to run the send_log script and output to your Humio instance. The script will delete the json files once transmission is complete.

Workflow

• Trigger: New detection
• Conditions: Platform is equal to Windows, Tactic is equal to Custom Intelligence, Technique is equal to Indicator of Attack, File path matches *\cast.exe
• Action: Real-time Response - your_saved_script_name, Cloud https://cloud.community.humio.com, Token your_ingest_token

You'll leave the Path variable empty for the script action, because with the way Custom IOAs currently work, the Json file that gets created can't be passed to the workflow. The script compensates for this by looking for all json files in that Rtr directory.

[rbcrwd]

Aside from the excellent suggestions by @bk-cs, the question of how to collect the data is largely dependent on your environment and system administration practices. This tool was intended to be a wrench in your sysadmin toolbag, and was not developed as a standalone tool.

A few options:

1. Redirect STDOUT to a consistent location on C:\ and collect it from individual hosts
2. Redirect STDOUT to a file on a shared drive, named uniquely by host so as to prevent overwrite
3. Wrap the tool in a powershell handler that POSTS the data to an internal webserver
4. Send each line of STDOUT to the system log (if you have central collection

Bear in mind that the final stats output is to STDERR, not STDOUT, so we minimize mixing of JSON and non-structured data. If you wish to capture that stats output, you'll need to capture STDERR as well.

As far as scanning all drives on Windows, there is no such flag. You can, however, invoke CAST in such a way that it will scan each in turn, e.g.:

% .\cast.exe scan C:\ D:\ E:\ N:\

I work primarily in POSIX environments and have no way to test the above example, but it should work.