Let’s imagine a pen-test scenario…
You’ve gotten past those firewalls and compromised your first machine!
Even more – You’ve escalated yourself to an admin account! How cool is that!!
But you quickly realize that there are a few DLP and SIEM tools that you may need to temporarily disable or turn off.
Now, I’m always skeptical about turning off such products – how can I be 100% sure that they’re not collecting information even when turned off?
One such product is the CrowdStrike’s Falcon Agent.
I recently found an undocumented way to uninstall Falcon Sensor. First of all, how do I know if the sensor is there and running besides the obvious list of services, installed programs and task manager?
Okay… so we know it’s there and listening.
All right, well. The command line options including Install, repair and uninstall. (Obtain the installer file from my GitHub if you can’t find it on the target machine)
However, what piques my interest are the repair and uninstall options. For those who wouldn’t want to uninstall, we can always downgrade it (stop the sensor) with the following:
Unfortunately, the downgrade is noisy (even after using the /quiet switch). The product uninstalls and reinstalls without starting the sensor.
The other option is to temporarily uninstall it while we attempt lateral movements. I couldn’t find this way of uninstalling the product documented anywhere:
I thought this was pretty cool as I can silently uninstall the product from the command line and ensure my activities are not recorded in the Falcon cloud.
You may want to install it back when done because you never know if other apps like VPN check up on it when trying to run.
Installing it back is again a 1-step process but you may need to sign up for the trial at the Crowdstrike website in order to obtain a CID Checksum (product key):
WindowsSensor.exe /install /quiet /norestart CID=<ID>