# What went wrong in CrowdStrike: A Deep Dive 💡

### Pre-Context

> In the world of **cybersecurity**, constant updates are crucial to stay ahead of evolving threats. Imagine you're a developer at a major antivirus company, and you've just discovered a new way hackers are using Windows' named pipes for malicious purposes. You need to update your security software quickly to protect users. This is the situation CrowdStrike found itself in on July 19, 2024.

<figure><img src="https://4226038835-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxCDBFlw3NTdxDEd8mKvd%2Fuploads%2FudW1trFB2LdHg3o0x1Oq%2Fimage.png?alt=media&#x26;token=414cd76d-8b1c-4c21-9008-447d5c638dc9" alt=""><figcaption><p>The blue screen (BSOD) which found on affected systems </p></figcaption></figure>

On July 19, 2024, the cybersecurity world witnessed a significant incident when a routine CrowdStrike security update led to widespread system crashes on Windows machines globally. This event serves as a stark reminder of the delicate balance between rapid security updates and system stability. Let's dive into what happened, why it occurred, and what we can learn from this incident.

### The Incident at a Glance

* **Date**: July 19, 2024
* **Time frame**: 04:09 UTC to 05:27 UTC (1 hour and 18 minutes)
* **Affected systems**: Windows machines running Falcon sensor version 7.11 and above
* **Symptom**: System crashes resulting in <mark style="color:red;">Blue Screen of Death</mark> (BSOD)

### What Happened

**CrowdStrike**, a leading cybersecurity company, released a sensor configuration update as part of their ongoing efforts to protect against emerging threats. This update, specifically to Channel File 291, was designed to detect and respond to newly observed malicious uses of named pipes in Windows systems.

However, the update contained a logic error that, when applied, caused an unexpected interaction with the Windows operating system, resulting in system crashes.

### Technical Details

1. **Channel Files**: These are configuration files used by CrowdStrike's Falcon platform to control security behaviors. They reside in <mark style="color:orange;">`C:\Windows\System32\drivers\CrowdStrike\`</mark> on Windows systems.
2. **Channel File 291:** This specific file (named <mark style="color:orange;">`C-00000291-*.sys`</mark>) is responsible for evaluating named pipe execution on Windows systems.
3. **Named Pipes**: A method of inter-process communication in Windows, which can be exploited by malicious actors.
4. **The Update**: Aimed to enhance detection of malicious named pipe usage but contained a critical logic flaw.

### Impact of the Bug

Systems that downloaded and applied the flawed update between 04:09 UTC and 05:27 UTC experienced crashes, resulting in significant disruption for affected organizations. This incident underscores the far-reaching consequences that a single configuration error can have in our interconnected IT environments.

### CrowdStrike's Response

To their credit, **CrowdStrike's** team quickly identified and addressed the issue. By **05:27 UTC**, they had released a corrected version of **Channel File 291**, which was automatically distributed to Falcon sensors.

> **Systems that could reboot successfully after the crash would apply the corrected file and resume normal operation.**

### Lessons Learned

1. The importance of thorough **testing**, even for seemingly minor configuration changes.
2. The need for rapid response capabilities in addressing widespread issues.
3. The value of transparent communication during and after such incidents.
4. The potential risks associated with automatic updates, especially for critical security systems.

**References:**

1. [CrowdStrike Official Statement](https://www.crowdstrike.com/blog/technical-details-on-todays-outage/)
2. [Windows Named Pipes Documentation](https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipes)

***

Tech moves fast, and so do we. We regularly break down critical incidents like this, offering deep dives and expert analysis you won't find elsewhere.

Want to stay ahead of the curve ?

**Subscribe to our newsletter** 👉  <https://techbytesnewsletter.substack.com/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.techbytes.app/what-went-wrong-in-crowdstrike-a-deep-dive.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.