JSReport webshell causing CrowdStrike alerts

Reply to JSReport webshell causing CrowdStrike alerts on Invalid Date

atrichardson — Invalid Date

I'm using JSReport for HTML to PDF and my InfoSec team is getting alerts due to the download and running of JSReport, is there anything I should be doing that would prevent this?

In my Startup.cs I've started the service as follows:

services.AddJsReport(new LocalReporting().UseBinary(JsReportBinary.GetBinary()).KillRunningJsReportProcesses().AsUtility().Create());

In my controller I'm using the ChromePdf recipe

HttpContext.JsReportFeature().Recipe(Recipe.ChromePdf)

Reply to JSReport webshell causing CrowdStrike alerts on Invalid Date

jan_blaha — Invalid Date

Could you please share what urls/ips does your team collected?
I tried to monitor the network and don't see external requests.

Reply to JSReport webshell causing CrowdStrike alerts on Invalid Date

atrichardson — Invalid Date

Sorry, I must have misunderstood what was happening. It doesnt appear to be JSReport itself thats causing problems. It appears to be IIS downloading and executing over and over that's being flagged. Is there any way to store the executable on the server and reference that instead of downloading and running the exe?

Reply to JSReport webshell causing CrowdStrike alerts on Invalid Date

jan_blaha — Invalid Date

The executable is compiled into the jsreport.Binary.dll manifest.
There is no download happening during the start. The binary with its parts is only extracted into the user's temp folder during the first start.

Reply to JSReport webshell causing CrowdStrike alerts on Invalid Date

atrichardson — Invalid Date

Apparently this is still throwing alerts for some reason. Should simply removing .KillRunningJsReportProcesses() take care of this? Or is there something more I need to do to prevent this from happening?

Reply to JSReport webshell causing CrowdStrike alerts on Invalid Date

jan_blaha — Invalid Date

I'm not sure what exactly is the problem you want to prevent?

The KillRunningJsReportProcesses is an explicit call to kill all background jsreport processes.
The jsreport binary process is also automatically killed on the domain unload https://github.com/jsreport/jsreport-dotnet-local/blob/master/jsreport.Local/Internal/LocalUtilityReportingService.cs#L112

Reply to JSReport webshell causing CrowdStrike alerts on Invalid Date

atrichardson — Invalid Date

I'm really just looking for help preventing this alert to satisfy my security team. Is there anyway to prevent the binary process from being killed automatically? I apologize as I'm really not familiar with anything behind the scenes. I'm just looking for a remedy so I don't need to find another PDF solution when this one works great because of these alerts.

Reply to JSReport webshell causing CrowdStrike alerts on Invalid Date

jan_blaha — Invalid Date

So the problem is that when your app shuts down, it also kills the background process? I think this is actually correct behavior.

Maybe what you are looking for is IIS configuration to always keep the app domain loaded. The default IIS behavior is to automatically stop your APP if it isn't in use.
https://docs.hangfire.io/en/latest/deployment-to-production/making-aspnet-app-always-running.html#:~:text=Right-click on the same,waiting for the initial request.