An Example in Getting Around CrowdStrike Endpoint Protection
For those of you, like me who are on the red, offensive side of information security I am certain you are aware of the sea of ever expanding defensive walls emerging around you. Some of the PowerShell, and Windows cmd post-exploitation commands that, at one time in history were easy to pop off without detection, or at the very least without being stopped completely are now caught by “intelligent” endpoint protection software. What happened to the days when one could just run Mimikatz on a victim box and none were the wiser?
Well, don’t go and give up, or cry to mommy just yet, nerd… Dig deep, hacker and find that knack for perseverance that got you this far in the first place. Get back to those days when you were stuck trying to pop boxes in preparation for your Offensive Security Certified Professional (OSCP) exam, struggling through the Penetration Testing with Kali Linux (PWK) labs and do what? “Try Harder!”
Having an enterprise network as a playground has allowed me to try the many different “ways to skin a cat,” so to speak, in running exploits. My research environment allows me to run an exploit as I watch CrowdStrike’s Falconview to see whether, or not the endpoint protection catches me. In one such instance I was able to find that Crowdstrike was catching me run a procdump on LSASS, but only if the command was crafted in a specific way.
DISCLAIMER
I reported this to CrowdStrike and they have since fixed the hole that I found in their Falcon sensor for Windows version 4.16.7903 release on 1 NOV 2018.
I noticed that running the PowerShellMafia/Powersploit Out-Minidump.ps1 Powershell script was getting detected AND stopped by Falconview every time. My hacker curiosity led me to try and run the commands in powershell, line-by-line instead of running the script. Guess what? It worked! No Falconview detection and I had a nice LSASS dump sitting on my desktop.
Well, that was cool! Now I know there is no way I am going to get away with running Mimikatz on the victim box without CrowdStrike schwacking it, so I simply through the lsass.dmp into my windows VM where I have Mimikatz installed and BAM! I have clear text Windows creds.
So that has got to be it right? No more holes in skinning this cat correct? Wrong! My hacker curiosity led me to try some other ways of procdumping LSASS.
The strangest find is that I could actually run Sysinternals procdump.exe successfully if, when I input the “lsass.exe” argument, I left out the “.exe” file extension, but if I left it in, Falcon caught and stopped it…
It was a strange find. Simply leaving out “.exe” and we have clear text creds.
So, there you have it hacker. These endpoint protection applications may be causing a problem for you in doing some of the things you’ve known and loved, but always remember, “there is more than one way to skin a cat,” and as always “Try harder!”
4n7m4n out.
