Bypass CrowdStrike Falcon EDR protection against process dump like lsass.exe

One of the main thing you do as a penetration tester when you compromise a windows machine on the network and you want to expand to other devices and do lateral movement is doing a dump of lsass process and try to extract the plain text password and hashes inside it that may belong to other users, but if there is an EDR is installed on the machine it will stop you from dumping the lsass in the traditional way.

In this article i will demonstrate a way that i found to bypass this detection and dumping the hashes from memory by acting as a blue team

TL;DR

Do a memory dump of the RAM with any forensics tool like (dumpit.exe,MAGNET RAM Capture ) and from the dump extract the lsass process using volatility or extract the hashed directly from it .

The long version:

CrowdStrike Falcon EDR will not allow a process dump as shown in the image above, but instead it allow for RAM dump of the system.

There are may tool to perform memory acquisition i will be using MAGNET RAM Capture which is a free tool that can be run with any installation

The memory is now captured and ready for analysis, now will start by extracting the hashes using volatility, you can download volatility on the target system directly if you can’t transfer the file or copy the image dump to your attack machine and analyzing it locally

Social:

Linkedin: https://www.linkedin.com/in/bilal-alqurneh/

Twitter: https://twitter.com/0xcc00