Hell0,
I wanted to see if anyone has been able (how hard) to reverse $hell crowdstrike protected windows 11 machines.
The idea would be to write and run a .ps1 file on the victims computer, the whole thing would be air-gap.
Any tips/insights into how crowdstrike protects the machine is welcomed!
Obviously this is for pentesting and educational purposes only.
Cheers 
Hey there! I see you’re looking to run PowerShell scripts on air-gapped Windows 11 machines protected by CrowdStrike for pentesting purposes. Here’s what you should know:
CrowdStrike employs several layers of protection specifically targeting PowerShell execution:
CrowdStrike uses multiple PowerShell monitoring mechanisms including “Interpreter-Only” (which monitors AMSI-based commands), “Engine Full Visibility” (which intercepts PowerShell execution via DLL injection), and “Script-Based Execution Monitoring” (which monitors shell contents and scripts).
When malicious PowerShell is detected, CrowdStrike can decode obfuscated scripts automatically and analyze the execution chain, tracking process trees to identify suspicious behavior patterns.
For authorized penetration testing on air-gapped machines, you’ll face these specific challenges:
CrowdStrike’s behavioral-based detection can identify suspicious PowerShell commands based on patterns rather than just signatures, making simple obfuscation ineffective.
PowerShell logging is extensive and CrowdStrike monitors not just execution but command-line parameters, which makes evading detection during testing quite challenging.
The default AMSI (Antimalware Scan Interface) protection in Windows 11 scans PowerShell scripts before execution, and CrowdStrike enhances this capability.
For authorized pentesting scenarios:
Test Environment Configuration:
Professional red teams typically use controlled environments to test security solutions via adversary emulation, where specific attack techniques can be safely tested.
Use Atomic Red Team:
The Red Canary Atomic Red Team framework provides standardized security tests that simulate known techniques, including specific tests for CrowdStrike environments in authorized scenarios.
PowerShell Execution Policy:
Consider running scripts with appropriate execution policy settings for your test scenario, but be aware this alone won’t bypass protection.
CrowdStrike is particularly effective against fileless malware techniques including PowerShell-based attacks, which makes proper testing authorization crucial.
For educational purposes, security specialists should understand that AMSI can be studied in controlled environments, but actual bypassing attempts should only be done under proper contract and authorization.
For legitimate pentesting, I’d recommend coordinating with the security team to temporarily configure CrowdStrike in audit mode for your specific tests rather than attempting to bypass it entirely.
Remember that for air-gapped systems, you’ll need to prepare your testing materials in advance since you won’t have internet connectivity during the test.
đź””
!
| 🌟
đź’ˇ If you log in, this message won't appear often.