A method to silently exfiltrate Windows secrets and credentials, evading detection from most Endpoint Detection and Response (EDR)<\/a> solutions.<\/p>\n This technique allows attackers who have gained an initial foothold on a Windows machine to harvest credentials for lateral movement across a network without triggering common security alerts.<\/p>\n The Local Security Authority (LSA), running within the While these databases can be managed through RPC interfaces ( These hives are protected by Discretionary Access Control Lists<\/a> (DACLs) that restrict access to accounts with Decrypting this information requires additional values from the Attackers commonly use various local and remote techniques to harvest credentials, but modern security tools<\/a> detect most well-known methods.<\/p>\n Interacting with the EDR solutions primarily rely on kernel-mode callback routines to monitor system activity. By using functions like When a process attempts to read a sensitive key, like According to researcher Sud0Ru, who uncovered this technique, a new, two-pronged approach allows attackers to bypass these defenses by leveraging lesser-known Windows internals.<\/p>\n This method avoids creating on-disk backups of registry hives and does not require This combined strategy allows the entire operation to occur in memory, leaving no on-disk artifacts and avoiding API calls that would typically flag malicious activity.<\/p>\n The result is a silent and effective method for harvesting credentials. While decrypting the exfiltrated data is a separate process, this collection technique demonstrates that even mature defensive systems can be circumvented by leveraging overlooked, legitimate functionalities within the operating system itself.<\/p>\n Find this Story Interesting! Follow us on\u00a0LinkedIn<\/a>\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n The post Hackers Can Exfiltrate Windows Secrets and Credentials Silently by Evading EDR Detection<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nHow Windows Manages Secrets<\/strong><\/h2>\n
lsass.exe<\/code> process, is the core Windows component responsible for managing sensitive information. The LSA uses two in-memory databases that correspond to on-disk registry hives:<\/p>\n\n
SAM<\/code> registry hive. It stores user credentials, but there is no direct API to retrieve them in plaintext.<\/li>\nSECURITY<\/code> registry hive. This database holds LSA secrets, such as cached domain credentials and machine keys.<\/li>\n<\/ul>\nMS-SAMR<\/code> and MS-LSAD<\/code>), they do not offer a simple way to decrypt stored secrets. To access the credentials and secrets, direct interaction with the SAM<\/code> and SECURITY<\/code> registry hives is necessary.<\/p>\nSYSTEM<\/code> privileges. The sensitive data within them, such as user credentials and machine keys, is encrypted.<\/p>\nSYSTEM<\/code> hive to reconstruct the decryption key.<\/p>\nlsass.exe<\/code> process memory, for example, is a high-risk activity that is heavily monitored by EDRs and Windows Defender, often resulting in immediate alerts.<\/p>\nCmRegisterCallbackEx<\/code>, an EDR\u2019s driver can register to be notified by the Windows kernel of specific events, such as registry access.<\/p>\nHKLMSAM<\/code> or HKLMSECURITY<\/code>, the kernel notifies the EDR, which can then block the operation or raise an alert. To manage performance, EDRs typically monitor a select list of high-risk API calls and registry paths, rather than every single system operation.<\/p>\nA New Method for Silent Exfiltration<\/strong><\/h2>\n
SYSTEM<\/code>-level privileges, operating within the context of a local administrator.<\/p>\n![\"Exfiltrate](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh40EnTpgsqCIIJ-WFy9trRbE2GKZaI-T8BbG5FMQQThHyLDh68BVd3o83AkvBJAnT3kmv1PPNSBaNvTKGs0iimVU2g9fKmR_3J_AoOpAF5r-7n7cO1pyZXuHcBNcJDUti00ssLFOLy5LWpcbEZs2bX3O-a7A0tgdz9L4BscpsFWwITie3SZfjeO198g0Lu\/s16000\/Exfiltrate%2520Windows%2520Secrets%2520and%2520Credentials.webp?ssl=1\")
\n
NtOpenKeyEx<\/code><\/strong>: The first step involves using the undocumented native API NtOpenKeyEx<\/code>. By calling this function with the REG_OPTION_BACKUP_RESTORE<\/code> flag and enabling the SeBackupPrivilege<\/code> (available to administrators), an attacker can bypass the standard ACL checks on protected registry keys. This provides direct read access to the SAM<\/code> and SECURITY<\/code> hives without needing to be the SYSTEM<\/code> user.<\/li>\nRegQueryMultipleValuesW<\/code><\/strong>: Once access is gained, the next challenge is to read the data without triggering EDR alerts. Most EDRs monitor common API calls used for reading registry values, such as RegQueryValueExW<\/code>. This new technique instead uses RegQueryMultipleValuesW<\/code>, an API that retrieves data for a list of value names associated with a registry key. Because this function is used less frequently, many EDR vendors have not included it in their monitoring rules. By using this API to read a single value at a time, attackers can extract the encrypted secrets from the SAM<\/code> and SECURITY<\/code> hives without being detected.<\/li>\n<\/ol>\n