Bypassing CrowdStrike in an Enterprise Production Network [in 3 Different Ways]
EDR solutions and specifically CrowdStrike Falcon are giving us a hard time recently. It seemed that no matter how covert we tried to be, a well-trained blue-team was able to utilize these type of solutions to pick up on our activity relatively fast. That’s why when we had an opportunity to travel to India and sit in the same room with the SOC team of one of the biggest companies in the world, a team that built their detection capabilities around CrowdStrike, we couldn’t resist the urge to test out some of our ideas on how these tools can be bypassed. tl;dr: We ended up with 3 new techniques for CrowdStrike bypass that force blue-teams (and CrowdStrike) to re-think some of their current detection and mitigation tactics. What is CrowdStrike anyway? CrowdStrike looks at the OS of a machine, logs pretty much everything that happens on it (processes, memory, etc.), and alerts on deviations and anomalies from standard behavior (I’m sure it does many more things, but for our purposes this de