A sophisticated method has emerged that enables attackers to discreetly extract Windows secrets and credentials, effectively eluding detection from the majority of Endpoint Detection and Response (EDR) solutions. This technique empowers individuals who have already established a foothold on a Windows machine to gather credentials for lateral movement within a network without triggering the usual security alerts.
How Windows Manages Secrets
The Local Security Authority (LSA), which operates within the lsass.exe process, serves as the cornerstone of Windows’ management of sensitive information. The LSA utilizes two in-memory databases that correspond to on-disk registry hives:
- SAM database: This database oversees user, group, and alias objects and corresponds to the
SAMregistry hive. It stores user credentials, although there is no straightforward API to retrieve them in plaintext. - Security database: This database manages policy, trusted-domain, account, and secret objects, aligning with the
SECURITYregistry hive. It holds LSA secrets, including cached domain credentials and machine keys.
While these databases can be accessed through RPC interfaces (MS-SAMR and MS-LSAD), they do not provide a simple means to decrypt stored secrets. Gaining access to the credentials and secrets necessitates direct interaction with the SAM and SECURITY registry hives, which are safeguarded by Discretionary Access Control Lists (DACLs) that limit access to accounts with SYSTEM privileges. The sensitive data contained within these hives, such as user credentials and machine keys, is encrypted, and decrypting this information requires additional values from the SYSTEM hive to reconstruct the decryption key.
While attackers typically employ various local and remote techniques to harvest credentials, most modern security tools are adept at detecting well-known methods. For instance, interacting with the lsass.exe process memory is a high-risk activity that is closely monitored by EDRs and Windows Defender, often resulting in immediate alerts.
EDR solutions primarily depend on kernel-mode callback routines to observe system activity. By utilizing functions like CmRegisterCallbackEx, an EDR’s driver can register to receive notifications from the Windows kernel regarding specific events, such as registry access. When a process attempts to read a sensitive key, like HKLMSAM or HKLMSECURITY, the kernel alerts the EDR, which can then block the operation or raise an alert. To optimize performance, EDRs typically monitor a select list of high-risk API calls and registry paths, rather than scrutinizing every single system operation.
A New Method for Silent Exfiltration
Researcher Sud0Ru has unveiled a novel two-pronged approach that allows attackers to circumvent these defenses by leveraging lesser-known Windows internals. This method avoids creating on-disk backups of registry hives and does not necessitate SYSTEM-level privileges, functioning within the context of a local administrator.
- Bypassing Access Controls with
NtOpenKeyEx: The initial step involves utilizing the undocumented native APINtOpenKeyEx. By invoking this function with theREGOPTIONBACKUP_RESTOREflag and enabling theSeBackupPrivilege(which is accessible to administrators), an attacker can bypass standard ACL checks on protected registry keys. This grants direct read access to theSAMandSECURITYhives without requiringSYSTEMuser status. - Evading Detection with
RegQueryMultipleValuesW: After gaining access, the next hurdle is to read the data without triggering EDR alerts. Most EDRs monitor common API calls for reading registry values, such asRegQueryValueExW. This innovative technique, however, employsRegQueryMultipleValuesW, an API designed to retrieve data for a list of value names associated with a registry key. Due to its infrequent usage, many EDR vendors have not incorporated it into their monitoring protocols. By utilizing this API to read a single value at a time, attackers can extract encrypted secrets from theSAMandSECURITYhives without detection.
This combined strategy enables the entire operation to transpire in memory, leaving no on-disk artifacts and avoiding API calls that would typically signal malicious activity. The outcome is a silent and effective method for harvesting credentials. Although decrypting the exfiltrated data constitutes a separate process, this collection technique illustrates that even advanced defensive systems can be outmaneuvered by exploiting overlooked, legitimate functionalities within the operating system itself.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
