Forwarded from DefenseEvasion
This media is not supported in your browser
VIEW IN TELEGRAM
💀 Windows | Get passwords no one notices 🔑
- Run mimikatz to steal passwords? — No way!
- Capture RAM using forensics tools, exfiltrate it and process remotely? — Better, but blue team will knock you down anyway (your user isn't a forensics specialist, huh?)
🥷🏻How to get RAM snapshot quieter
- When Windows faces a problem that it can't recover from safely, it shows BSoD and saves the current RAM state to
- So, be the root cause of BSoD — crash the system
🔑 Get passwords!
1️⃣End critical process (svchost) or start wininit
2️⃣Exfiltrate
3️⃣Launch volatility
⚠️Requirements
- Full memory dump is enabled (CrashDumpEnabled = 0x1, Overwrite = 0x1)
- Rights to access MEMORY.DMP
> Read the full post (more techniques, nuances, detection, hardening)
#redteam #blueteam #credential_access
- Run mimikatz to steal passwords? — No way!
- Capture RAM using forensics tools, exfiltrate it and process remotely? — Better, but blue team will knock you down anyway (your user isn't a forensics specialist, huh?)
🥷🏻How to get RAM snapshot quieter
- When Windows faces a problem that it can't recover from safely, it shows BSoD and saves the current RAM state to
C:\Windows\MEMORY.DMP file- So, be the root cause of BSoD — crash the system
🔑 Get passwords!
1️⃣End critical process (svchost) or start wininit
2️⃣Exfiltrate
C:\WIndows\MEMORY.DMP3️⃣Launch volatility
py vol.py -f MEMORY.DMP windows.cachedump.Cachedump
py vol.py -f MEMORY.DMP windows.hashdump.Hashdump
py vol.py -f MEMORY.DMP windows.lsadump.Lsadump
⚠️Requirements
- Full memory dump is enabled (CrashDumpEnabled = 0x1, Overwrite = 0x1)
- Rights to access MEMORY.DMP
> Read the full post (more techniques, nuances, detection, hardening)
#redteam #blueteam #credential_access