Blocking SHA-2 and MD5 Hashes with CrowdStrike Falcon

If your team is using CrowdStrike Falcon for endpoint detection and response, you'll want to keep an up-to-date list of blocked hashes. In this guide, we'll show you how.

Patrick Londa
Jun 24, 2022
 min read
Share this post

CrowdStrike is a leading and comprehensive EDR platform that is providing cloud workload and endpoint security, threat intelligence, and cyber attack response service. Its endpoint detection and response capabilities help organizations prevent breaches.

In this guide, we’ll highlight how you can use hashes in CrowdStrike Falcon to block specific applications or malware from running in your environments.

The Role of Hashes

Hashes are commonly used in cybersecurity to uniquely identify files or pieces of malware and share those hashes as actionable threat intelligence. CrowdStrike Falcon leverages both MD5 and SHA-256 hashes and uses them to prevent or allow the execution of an application in a given environment. 

Once you have a list of MD5 and/or SHA256 signatures of known malware (commonly delivered via threat intelligence or online articles), you can add them to your “Prevention Hashes” list in Falcon and prevent them from running in your environment. 

Moving forward, Falcon will then look for any indication that they are in use, report on the incident, and stop them from running. Keeping your hash lists up-to-date is an important way to protect your data from being made vulnerable through risky or  compromised applications.

blink logo
crowdstrike falcon logo
Blink Automation: Submit New Value to CrowdStrike Falcon Hash Exclusion List
Blink + CrowdStrike Falcon
Get Started

Adding Hash Exclusions in CrowdStrike Falcon

You can add specific values to the “Prevention Hashes” list through the Falcon interface or the API.

Adding Hashes

1. Navigate to the Configuration App within CrowdStrike Falcon, go to the Prevention hashes window, then click “Upload Hashes.”

2. Browse to locate a file from your device or paste your hash list directly into the window. The file must be:

  • A plain text file
  • Contain no more than 3,000 hashes
  • Have at least one hash per line
  • Contain only hashes for executable files

3. The application will upload valid hashes and ignore those considered invalid. Click apply to confirm the update.

4. Choose an action to perform (e.g. “Always Block”) when CrowdStrike Falcon detects a matching hash. Click “Apply” to confirm your choice when the confirmation window appears.

Note that CrowdStrike limits the maximum number of hashes for a single upload to 3,000 and 12,000 total hashes in order to strike the right balance between sensor performance and the hash management experience.

All uploaded hashes should appear. Repeat the above steps to add new hashes as they are discovered.

Enabling Blocking

Navigate to the Configuration app, then go to the “Prevention Policy” page to check for enabled policies. If the policy does not have blocking enabled, toggle the “Custom Blocking” button, then press Save.

Simplify Hash List Updates with Blink

The challenge many organizations face is their ability to automate immediate updates to the hashes list based on multiple sources and as new threats arise. In order to build an effective security stack, this process must be automated. 

Once known malicious hashes are made available, updates to your CrowdStrike “Prevention Hashes” list must be made immediately to assure your security posture against current threats.

With the Blink platform, you can automate the management of hashes within CrowdStrike Falcon and reduce to zero the update and distribution of hashes. Blink leverages the APIs made available by CrowdStrike Falcon to process hashes and updates the CrowdStrike Falcon platform so no manual tasks are needed.

Get started with Blink today to see how easy automation can be.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native. 
Get modern cloud and security operations today.

Get a Demo