How to Create an SSM Document to Delete a Specific CrowdStrike File and Associate It with All Windows Instances

Preface Link to heading

While the CrowdStrike outage was occurring, I quickly threw together an SSM document as a potential way to remediate. Unfortunately, I did not test this with the CrowdStrike issue specifically since I did not have access to a failing system, and in theory a crashing/boot looping system may not allow enough time for the SSM agent to connect to the backend API.

Creating an SSM Document to run our PowerShell Commands Link to heading

In a previous post, How to Delete a Specific CrowdStrike File Using PowerShell, we walked through the steps to manually delete a specific driver file using PowerShell. While this method works well for individual instances, managing this sort of task across multiple Windows instances can be challenging. This is where AWS Systems Manager (SSM) comes in handy.

In this guide, we will learn how to create an SSM Document that automates the deletion process and associates it with all your Windows instances in a given AWS region. Having tools like this in your toolbox is essential for efficiently managing tasks at scale.

Step 1: Create the SSM Document Link to heading

The first step is to create an SSM Document that contains the PowerShell script to delete the specific CrowdStrike file.

1. Open the AWS Management Console

   Navigate to the AWS Systems Manager console.

2. Create a New SSM Document

   • In the navigation pane, choose Documents.
   • Choose Create document.
   • For Name, enter a name for your document, such as DeleteCrowdStrikeFile.
   • For Document type, choose Command or Session.
   • For Content, choose Editor and paste the following JSON content:

{
  "schemaVersion": "2.2",
  "description": "Delete file matching C-00000291*.sys in C:\\Windows\\System32\\drivers\\CrowdStrike directory",
  "mainSteps": [
    {
      "action": "aws:runPowerShellScript",
      "name": "deleteCrowdStrikeFile",
      "inputs": {
        "runCommand": [
          "$directory = 'C:\\Windows\\System32\\drivers\\CrowdStrike'",
          "Set-Location -Path $directory",
          "$filePattern = 'C-00000291*.sys'",
          "Get-ChildItem -Path $directory -Filter $filePattern | Remove-Item -Force"
        ]
      }
    }
  ]
}

3. Create the Document

   • Choose Create document to save your new SSM Document.

Step 2: Associate the SSM Document with All Windows Instances Link to heading

Once the SSM Document is created, the next step is to associate it with all Windows instances in your desired AWS region.

1. List All Windows Instances

   Use the following AWS CLI command to list all Windows instances in your region. Ensure you have the AWS CLI installed and configured with appropriate permissions.

   aws ec2 describe-instances --filters "Name=platform,Values=windows" --query "Reservations[*].Instances[*].InstanceId" --output text
   

   This command will return a list of instance IDs for all Windows instances.

2. Run the SSM Document on All Windows Instances

   Use the AWS CLI to run the SSM Document on all listed Windows instances. Replace YOUR_DOCUMENT_NAME with the name of the SSM Document you created (e.g., DeleteCrowdStrikeFile).

   INSTANCE_IDS=$(aws ec2 describe-instances --filters "Name=platform,Values=windows" --query "Reservations[*].Instances[*].InstanceId" --output text)
   aws ssm send-command \
     --document-name "YOUR_DOCUMENT_NAME" \
     --targets "Key=instanceids,Values=$INSTANCE_IDS" \
     --comment "Deleting CrowdStrike file from all Windows instances"
   

   This command sends the DeleteCrowdStrikeFile document to all Windows instances in the specified region.

Example Commands and Script Link to heading

For convenience, here is the complete script that combines listing instance IDs and running the SSM Document:

#!/bin/bash

# Define the SSM Document name
DOCUMENT_NAME="DeleteCrowdStrikeFile"

# List all Windows instances
INSTANCE_IDS=$(aws ec2 describe-instances --filters "Name=platform,Values=windows" --query "Reservations[*].Instances[*].InstanceId" --output text)

# Run the SSM Document on all Windows instances
aws ssm send-command \
  --document-name "$DOCUMENT_NAME" \
  --targets "Key=instanceids,Values=$INSTANCE_IDS" \
  --comment "Deleting CrowdStrike file from all Windows instances"

Conclusion Link to heading

Automating tasks across your AWS infrastructure with Systems Manager (SSM) can save time and reduce the risk of manual errors. By creating an SSM Document and associating it with your Windows instances, you can efficiently manage and delete specific files across multiple systems. This method is particularly useful for handling tasks at scale, ensuring consistency and reliability across your environment.

Having tools like SSM Documents in your toolbox is essential for any system administrator. They enable you to automate repetitive tasks, maintain compliance, and ensure your systems are secure and up-to-date.

For more detailed information and support, refer to the AWS Systems Manager Documentation.

Emmanuel Tsouris is a Systems Development Manager working in the cloud, with extensive experience in cloud platforms, enterprise management, and automation. In his spare time, he enjoys hiking, biking, cooking, photography, and writing. For more insights and tips, visit emmanueltsouris.com.