Opus accused by Crowdstrike

Greetings Opi
I had an embarrassing incident at work the other day with the following sequence:

  1. I make an edit in "All Files and Folders" context menu
  2. Opus prompts me for an elevation
  3. I get a polite note from Cyber saying I caused a Crowdstrike event

A few questions

  1. Is something wrong? i.e. should this be happening?
  2. If so which component?
  3. dllhost.exe - I presume Opus is calling a Windows DLL inside this process and that process is doing stuff?
  4. It seems the accusation is that an attempt was made to delete a Crowdstrike registry entry "CrowdStrikeODS". Do we think Opus would or did this?

==========EMAIL EXERP START===============================
Triggering Indicator Information:

  • Reg Key: HKLM\SOFTWARE\Classes\AllFilesystemObjects\shell\CrowdStrikeODS
  • File System Operation: OP_DELETE

Falcon has detected and blocked the process dllhost.exe attempting to modify Falcon sensor related registry keys. This registry key is related to the CrowdStrike ODS functionality. This is indicative of an attempt to tamper with the Falcon Sensor. 3AD05575-8857-4850-9277-11B85BDB8E09 is the CLSID associated with 'Copy/Move/Rename/Delete/Link'. It is loaded by DLLHost and will be invoked when a user conducts one of those activities via the Windows GUI.

At the time of triage, Falcon Complete was able to verify a successful RTR connection.

This escalation is being raised for your awareness for this activity as attempts to disable the Falcon sensor can often be a precursor to malicious activity.

  • Can you please confirm if this activity is expected?

==========EMAIL EXERP END===============================

The registry key mentioned is for a context menu command. Did you actually try to delete it? I can't think of a reason why Opus would try to delete it otherwise, unless you'd actually tried to delete/edit it through the filetype editor.

Thank you @Jon
Whatever I did was within the Opus Context Menu editor as shown above.
Is it possible that I could delete such a registry key from within that editor?
I do notice there is an entry CrowdstrikeODS which I did not recognise nor would I have any reason to insert there. Also it is "not defined". See below.
Is this a representation of a registry key?
Maybe I tried to delete it. Could that be our explanation?
Much appreciate your interest.

Yes context menus can come from the registry. When you create new ones through Opus, it'll be stored in the registry if you choose for it to work in both Opus and Explorer. If you select Opus-only then it'll be stored in your Opus configuration and not require modifying the registry.

@Jon can you clarify that this setting is or its location?

1 Like

Ah.
I was drawing a pretty picture so lets not waste it (below)
I would have to have selected
3.3 Run an Opus function (not supported in Explorer) otherwise my internal command would not have worked.
Question-A -

  • If I selected 3.3 and only that then there should have been no registry delete of the sort flagged above?

Question-B

  • If I hit 3.1 or 3.2 (which I could have done by mistake) then I could have triggered the Crowdstrike trouble?

Question-C

  • Any comments on that unknown "CrowdstrikeODS" entry? (Above screenshot only. Below is from another laptop) That is a very specific string and I would not have entered that.

Thanks again..... really appreciate you comments. Then next time I can pay close attention and know what I might do to avoid such scrutiny :slight_smile:

As I said, it would have been a context menu command put in the registry by the CrowdStrike software. What it actually does I have no idea.