Falcon has detected and blocked the process dllhost.exe attempting to modify Falcon sensor related registry keys. This registry key is related to the CrowdStrike ODS functionality. This is indicative of an attempt to tamper with the Falcon Sensor. 3AD05575-8857-4850-9277-11B85BDB8E09 is the CLSID associated with 'Copy/Move/Rename/Delete/Link'. It is loaded by DLLHost and will be invoked when a user conducts one of those activities via the Windows GUI.
At the time of triage, Falcon Complete was able to verify a successful RTR connection.
This escalation is being raised for your awareness for this activity as attempts to disable the Falcon sensor can often be a precursor to malicious activity.
Can you please confirm if this activity is expected?
The registry key mentioned is for a context menu command. Did you actually try to delete it? I can't think of a reason why Opus would try to delete it otherwise, unless you'd actually tried to delete/edit it through the filetype editor.
Thank you @Jon
Whatever I did was within the Opus Context Menu editor as shown above.
Is it possible that I could delete such a registry key from within that editor?
I do notice there is an entry CrowdstrikeODS which I did not recognise nor would I have any reason to insert there. Also it is "not defined". See below.
Is this a representation of a registry key?
Maybe I tried to delete it. Could that be our explanation?
Much appreciate your interest.
Yes context menus can come from the registry. When you create new ones through Opus, it'll be stored in the registry if you choose for it to work in both Opus and Explorer. If you select Opus-only then it'll be stored in your Opus configuration and not require modifying the registry.
Ah.
I was drawing a pretty picture so lets not waste it (below)
I would have to have selected
3.3 Run an Opus function (not supported in Explorer) otherwise my internal command would not have worked.
Question-A -
If I selected 3.3 and only that then there should have been no registry delete of the sort flagged above?
Question-B
If I hit 3.1 or 3.2 (which I could have done by mistake) then I could have triggered the Crowdstrike trouble?
Question-C
Any comments on that unknown "CrowdstrikeODS" entry? (Above screenshot only. Below is from another laptop) That is a very specific string and I would not have entered that.
Thanks again..... really appreciate you comments. Then next time I can pay close attention and know what I might do to avoid such scrutiny