TL;DR: This blog post delves into the intersection of digital forensics and penetration testing, sometimes refered to as ‘Offensics’ or ‘OffFOR’. We then highlights the importance of Windows crash dump analysis in cybersecurity. After outlining the architecture of Windows crash dumps and explores various techniques to extract Windows credentials from RAM dumps, the post introduces ‘Forensike,’ a custom PowerShell tool I wrote. It combines forensics and debugging techniques to enhance credential extraction, demonstrating its application and benefits in the realm of offensive security
TL;DR:这篇博文深入探讨了数字取证和渗透测试的交叉点,有时被称为“Offensics”或“OffFOR”。然后,我们强调了 Windows 故障转储分析在网络安全中的重要性。在概述了 Windows 故障转储的体系结构并探讨了从 RAM 转储中提取 Windows 凭据的各种技术之后,这篇文章介绍了“Forensike”,这是我编写的自定义 PowerShell 工具。它结合了取证和调试技术来增强凭据提取,展示了其在进攻性安全领域的应用和优势
Introduction: In the ever-evolving landscape of cybersecurity, the fusion of digital forensic techniques and penetration testing emerges as a interesting strategy for bypassing and strengthening defense mechanisms. This blog post aims to shed light on the pivotal role of Windows crash dump analysis in this context. We start by unraveling the architecture of Windows crash dumps, understanding how they store system information that can be a goldmine for cybersecurity professionals. We then explore methods for extracting Windows credentials from RAM dumps, in order to perform lateral movement within internal and Active Directory environment. To cap it off, I will introduce ‘Forensike,’ a PowerShell tool I’ve developed. This script exploits admin rights and automatizes known debugging techniques over a pwned machine
简介:在不断发展的网络安全环境中,数字取证技术和渗透测试的融合成为绕过和加强防御机制的有趣策略。这篇博文旨在阐明 Windows 故障转储分析在这种情况下的关键作用。我们首先解开 Windows 故障转储的架构,了解它们如何存储系统信息,这些信息可以成为网络安全专业人员的金矿。然后,我们将探讨从 RAM 转储中提取 Windows 凭据的方法,以便在内部和 Active Directory 环境中执行横向移动。最后,我将介绍“Forensike”,这是我开发的 PowerShell 工具。此脚本利用管理员权限,并在 pwned 计算机上自动执行已知的调试技术
I : Windows Crash Dumps
I:Windows 故障转储
Windows crash dumps are files that contain a snapshot of a system’s memory at the moment of a crash, failure, or in some cases, as part of a scheduled capture. These dumps are significant for diagnosing and understanding the reasons behind a system crash or failure. Originally used for troubleshooting, threat actors quickly understood that those files (manually generated or found on victim systems) could also serve malicious purposes.
Windows 故障转储是包含崩溃、故障时系统内存快照的文件,或者在某些情况下,作为计划捕获的一部分。这些转储对于诊断和了解系统崩溃或故障背后的原因非常重要。最初用于故障排除,威胁行为者很快意识到这些文件(手动生成或在受害者系统上找到)也可能用于恶意目的。
An occurrence of digital forensics techniques used for offensive (malicious) goals is this ransomware case from Lorenz ransomware gang
用于攻击性(恶意)目标的数字取证技术的出现是来自 Lorenz 勒索软件团伙的勒索软件案例
Crash dumps generated by Windows can be :
Windows 生成的故障转储可以是:
- Complete Memory Dump: Captures all content of the system memory.
完成内存转储:捕获系统内存的所有内容。
- Kernel Memory Dump: Contains all the memory in use by the kernel at the time of the crash.
内核内存转储:包含崩溃时内核正在使用的所有内存。
- Small Memory Dump: A much smaller dump file, usually around 256 KB, which includes basic information such as the stop code, parameters, list of loaded drivers, process and thread information, and a part of the kernel-mode call stack. This type of dump is often refered to as Minidump
小型内存转储:一个更小的转储文件,通常约为 256 KB,其中包括基本信息,例如停止代码、参数、加载的驱动程序列表、进程和线程信息,以及内核模式调用堆栈的一部分。这种类型的转储通常被称为 Minidump
Windows Crash dumps are often considered superior to classic raw RAM dumps in the sense that they are more structured and contain more information in their header sections.
Windows 故障转储通常被认为优于经典的原始 RAM 转储,因为它们更具结构性,并且在其标头部分包含更多信息。
RAW Dumps are preferred for a comprehensive forensic analysis where every bit of memory might be relevant, offering wide compatibility with forensic tools but requiring more effort to parse and analyze.
RAW 转储是全面取证分析的首选,其中每一点内存都可能相关,提供与取证工具的广泛兼容性,但需要更多的努力来解析和分析。
On the other hand, Crash Dumps are tailored for crash analysis and debugging in Windows environments, providing structured information that can simplify the analysis of system crashes. Their creation and analysis are more straightforward for the intended purpose but are less versatile for general forensic analysis outside crash debugging scenarios.
另一方面,故障转储专为 Windows 环境中的崩溃分析和调试量身定制,提供可以简化系统崩溃分析的结构化信息。它们的创建和分析对于预期目的更直接,但对于崩溃调试场景之外的一般取证分析来说,通用性较差。
II : Extracting Credentials from Windows RAM dumps
II:从Windows RAM转储中提取凭据
To perform movement within environments, attackers’ fastest way of progressing between systems is OS Credential Dumping . By dumping critical processes’ memory on compromised systems, threat actors get their hands on more Windows and Active Directory user/machine accounts to abuse their rights within the infrastructure : Yes, I am looking at you LSASS
为了在环境中执行移动,攻击者在系统之间前进的最快方式是 操作系统凭据转储 。通过将关键进程的内存转储到受感染的系统上,威胁行为者可以获得更多的 Windows 和 Active Directory 用户/计算机帐户,以滥用他们在基础架构中的权利: 是的,我在看着你 LSASS
LSASS.exe (Local Security Authority Subsystem Service) is probably one of the most famous Windows process in cybersecuritys, as it acts as the main actor in Windows and AD authentication by managing and storing credentials.
LSASS.exe(本地安全机构子系统服务)可能是网络安全中最著名的 Windows 进程之一,因为它通过管理和存储凭据充当 Windows 和 AD 身份验证的主要参与者。
Please read this nice article about LSASS.exe if you want to understand the way it works
如果您想了解它的工作原理,请阅读这篇关于LSASS.exe的好文章
As LSASS is fundamental to the way Windows works and to its security, it is probably the most heavily monitored process by EDRs. An never-ending cat and mouse game has been engaged by attackers who always try to find new ways to dump LSASS.exe memory as it contains Windows passwords and hashes. Some of these techniques involves performing RAM dumps :
由于 LSASS 是 Windows 工作方式及其安全性的基础,因此它可能是 EDR 监控最严格的进程。攻击者一直在玩一场永无止境的猫捉老鼠游戏,他们总是试图找到新的方法来转储LSASS.exe内存,因为它包含 Windows 密码和哈希值。其中一些技术涉及执行RAM转储:
- Volatility + MRC 波动率 + MRC
Volatility is the most famous digital forensics framework when it comes to memory analysis. As it is written in Python, its portability and simplicity are great to retrieve interesting artefacts from dump files.
在内存分析方面,波动性是最著名的数字取证框架。由于它是用 Python 编写的,因此它的可移植性和简单性非常适合从转储文件中检索有趣的工件。
However, Volatility does not make the difference between dump files that were generated by Incident Response professionals or threat actors. Here, a dump file was created with MAGNET RAM CAPTURE by an attacker who obtained admin rights on an Internet facing server and then retrieved for offline credential extraction. Through the use of the volatility3.plugins.windows.hashdump module, Volatilty3 can be leveraged for malicious purposes.
但是,波动性不会区分事件响应专业人员或威胁参与者生成的转储文件。在这里,攻击者使用 MAGNET RAM CAPTURE 创建了一个转储文件,该攻击者在面向 Internet 的服务器上获得了管理员权限,然后检索以进行脱机凭据提取。通过使用 volatility3.plugins.windows.hashdump 模块,Volatilty3 可以被用于恶意目的。
Here, the attacker extracted the SAM and SYSTEM registries from the target dump, but other useful Volatility plugins can be leveraged to extract other types of Windows credentials, such as the windows.cachedump.Cachedump to grab domain cache hashes.
在这里,攻击者从目标转储中提取了 SAM 和 SYSTEM 注册表,但可以利用其他有用的 Volatility 插件来提取其他类型的 Windows 凭据,例如 windows.cachedump.Cachedump 来获取域缓存哈希。
- Volatility Mimikatz plugin
Volatility Mimikatz 插件
During the days of Volatility2, community used to regularly develop and post new plugins to implement more functionalities to the tool.
在 Volatility2 期间,社区过去常常定期开发和发布新插件,以实现该工具的更多功能。
The Mimikatz plugin was written by FrancescoPicasso in order to replicate the decypher work of the original mimikatz sekurlsa::LogonPasswords
module. By specifying an input dump file and an associated Windows profile, Volatility2 users can read the LSASS.exe segment of the RAM dump file
Mimikatz 插件由 FrancescoPicasso 编写,目的是复制原始 mimikatz sekurlsa::LogonPasswords
模块的解密工作。通过指定输入转储文件和关联的 Windows 配置文件,Volatility2 用户可以读取 RAM 转储文件的LSASS.exe段
- Physmem2Profit Physmem2利润
Physmem2profit was an innovative LSASS extraction tool that was composed of 2 main components :
Physmem2profit 是一种创新的 LSASS 提取工具,由 2 个主要组件组成:
-
A C# agent (server) to be executed on a target system. Once running, the agent loads the Winpmem driver in order to capture live memory and exposes it to the attacker machine through a TCP port.
要在目标系统上执行的 C# 代理(服务器)。运行后,代理加载 Winpmem 驱动程序以捕获实时内存,并通过 TCP 端口将其公开给攻击者计算机。
-
A python client, connecting from the attacker machine to the TCP port in order to mount the target exposed physical memory. The client then performs a process dump on the exposed LSASS process to read it :
一个python客户端,从攻击者计算机连接到TCP端口,以便挂载目标暴露的物理内存。然后,客户端对公开的 LSASS 进程执行进程转储以读取它:
The analysis and dump operations are performed by Rekall (Volatility fork) plugins that were reimplemented in the tool code. Unfortunately, Rekall development is no longer maintained and using Physmem2profit may have become really tricky due to dependence issues. However, the Winpmem driver (which also originated from Rekall) does have its own repository and could still be used for memory acquisition/defense evasion purposes (for a long time, Winpmem remained one of the only reliable method for RAW format memory acquisition).
分析和转储操作由在工具代码中重新实现的 Rekall(波动性分叉)插件执行。不幸的是,Rekall 开发不再维护,由于依赖性问题,使用 Physmem2profit 可能变得非常棘手。但是,Winpmem 驱动程序(也源自 Rekall)确实有自己的存储库,并且仍可用于内存获取/防御规避目的(在很长一段时间内,Winpmem 仍然是 RAW 格式内存获取的唯一可靠方法之一)。
The ‘conversion attack’ terminology designates the process of turning a specific memory dump extension into a readable, and more precisely exploitable, format to extract Windows credentials. Here, the Magnet Forensics/Comae Toolkit will come in handy again, as it offers the possibility to convert more exotic file extension generated by unique technologies such as VMWare vmem files or the Windows hibernation files. Most of the time, those extensions are only RAW format dumps in disguise, and they can be easily converted into good old familiar Crash dump format .dmp. If not, they can still be converted into RAW, and then converted again into .dmp
“转换攻击”术语指定将特定内存转储扩展转换为可读且更精确地可利用的格式以提取 Windows 凭据的过程。在这里,Magnet Forensics/Comae Toolkit 将再次派上用场,因为它提供了转换由独特技术(如 VMWare vmem 文件或 Windows 休眠文件)生成的更多奇特文件扩展名的可能性。大多数时候,这些扩展只是伪装的 RAW 格式转储,它们可以很容易地转换为熟悉的 Crash dump 格式.dmp。如果没有,它们仍然可以转换为 RAW,然后再次转换为.dmp
Numerous tools allow this type of conversion, such as the Hibr2Dmp or Bin2Dmp (Comae Toolkit) or even Volatility2. Here is a very nice conversion path explanation from Diverto’s blog :
许多工具都允许这种类型的转换,例如 Hibr2Dmp 或 Bin2Dmp(Comae 工具包)甚至 Volatility2。以下是 Diverto 博客中一个非常好的转换路径解释:
Hibernation files used to represent invaluable sources of information about systems from a forensic perspective. Indeed, Windows uses the hiberfil.sys file to store a copy of the system memory on the hard disk when the hybrid sleep setting is turned on. The main goal being Windows resuming a powered-off system to its previous state. If this file is not present, the computer cannot hibernate. However, the most recent versions of Windows came with a new format for the hyberfil.sys file (architectural as well as pages amount differences) breaking existing analysis tools and methodologies.
休眠文件用于从取证角度表示有关系统的宝贵信息源。事实上,当混合睡眠设置打开时,Windows 使用 hiberfil.sys 文件将系统内存的副本存储在硬盘上。主要目标是 Windows 将已关闭的系统恢复到以前的状态。如果此文件不存在,则计算机无法休眠。但是,最新版本的 Windows 为 hyberfil.sys 文件提供了新的格式(架构和页面数量差异),打破了现有的分析工具和方法。
This 2016 paper by Joe T. Sylve, Vico Marziale and Golden G. Richard II is the best free resource you will find online if you want to know about system hibernation and memory analysis. This academic work is the perfect follow-up to this classic Matt Suiche presentation at Blackhat USA 2008.
这篇 2016 年由 Joe T. Sylve、Vico Marziale 和 Golden G. Richard II 撰写的论文是在线找到的最佳免费资源,如果您想了解系统休眠和内存分析。这部学术著作是 Matt Suiche 在 2008 年 Blackhat USA 上发表的经典演讲的完美后续。
The last extraction technique is already mentioned on some of the other blog posts above, but we are going to explain the big idea. Benjamin Delpy a.k.a GentilKiwi (the GOAT) developed an extension called mimilib.dll (available on the official repository for mimikatz). Once you loaded the crash dump file you previously created or retrieved in your WinDBG session, you can then load the mimilib.dll file to expands the set of available commands and basically perform what mimikatz does with sekurlsa::LogonPasswords
module, on a crash dump file.
最后一种提取技术在上面的其他一些博客文章中已经提到过,但我们将解释这个大概念。Benjamin Delpy 又名 GentilKiwi(GOAT)开发了一个名为 mimilib.dll 的扩展(可在 mimikatz 的官方存储库中找到)。加载之前在 WinDBG 会话中创建或检索的故障转储文件后,可以加载 mimilib.dll 文件以扩展可用命令集,并基本上在故障转储文件上执行 mimikatz 对 sekurlsa::LogonPasswords
模块执行的操作。
You can then search for LSASS process address with !process 0 0 lsass.exe
and get into its context with .process /r /p <LSASS adress>
. The extension can then read lsass process, parse the results and display it back with !mimikatz
然后,您可以搜索 LSASS !process 0 0 lsass.exe
进程地址,并使用 .process /r /p <LSASS adress>
进入其上下文。然后,扩展可以读取 lsass 进程,解析结果并将其显示为 !mimikatz
III : Forensike : Remotely dump lsass by generating a Crash Dump
III : Forensike : 通过生成故障转储远程转储 lsass
When I first read about the Lorenz attack described at the beginning of this article, one of my first question was : Could I do the same in a remote manner, in a pentest/red team engagement ? In other words, I wanted to automatize this TTP that I found fascinating.
当我第一次读到本文开头描述的 Lorenz 攻击时,我的第一个问题是:我可以在渗透测试/红队交战中以远程方式做同样的事情吗?换句话说,我想自动化这个我觉得很吸引人的 TTP。
The final tool needed to overcome a number of obstacles :
克服许多障碍所需的最终工具:
-
Storage : The very principle of a RAM dump is capturing volatile computer memory to write on a disk. If I needed to write a large file, where do I do it ? On the target machine ? On the attacker machine ? Elsewhere ?
存储 :RAM转储的原理是捕获易失性计算机内存以写入磁盘。如果我需要写一个大文件,我该在哪里做?在目标机器上?在攻击者机器上?别处?
-
Crash Dump : The main pro of a crash dump is its structure. As it is the best dump type for Windows environment, I prefer to use it, but how do we generate a crash dump without crashing the target system in the end ?
故障转储 :故障转储的主要优点是其结构。由于它是Windows环境的最佳转储类型,因此我更喜欢使用它,但是我们如何生成故障转储而不会最终使目标系统崩溃?
-
Acquisition : The whole crash dump process needs to be performed remotely
采集:整个故障转储过程需要远程执行
-
Debugging : The extraction/debugging process also needs to be performed remotely as I did not want the crash dump to be transferred from the target to the attacker machine (not interesting time, storage and stability wise)
调试:提取/调试过程也需要远程执行,因为我不希望故障转储从目标转移到攻击者机器(时间、存储和稳定性方面不感兴趣)
-
Defense : How do EDRs react VS a crash dump generation ? VS debugging tools ? (spoiler alerts, EDRs do not like mimilib.dll…)
防御:EDR 如何响应 VS 崩溃转储生成?VS调试工具?(剧透警报,EDR 不喜欢mimilib.dll……
Here are the solutions I came up with :
以下是我想出的解决方案:
-
Storage : Decided to store the final crash dump file on the target machine. As debugging can be performed remotely, no need to retrieve the dump file through the network
存储:决定将最终故障转储文件存储在目标计算机上。由于可以远程执行调试,因此无需通过网络检索转储文件
-
Crash Dump : I will be using the most stable and performant tool : DumpIt from Magnet FORENSICS (previously from the ComaeToolkit). It is easy to deploy, fast and never causes BSOD. Matt Suiche going at it again !
Crash Dump :我将使用最稳定和性能最高的工具:Magnet FORENSICS 的 DumpIt(以前来自 ComaeToolkit)。它易于部署,速度快,并且不会导致BSOD。Matt Suiche 又来了!
-
Acquisition : Creation of a temporary PSDrive for tool transferring
获取:创建用于刀具转移的临时 PSDrive
-
Defense : At the time of writing, I have not encountered a specific EDR technology that has a default policy against the generation of Windows Crash dumps. The EDR I have worked against in my engagements and personal tests never blocked the writing of DumpIt on the target’s disk nor the generation of final crash dump file. As the signatures of RAM acquisition tools are not blocked by EDRs, they never prevent them from acquiring memory. The only trace left on the target system is probably the loading of the said drivers. In the end, it seems logical that EDRs cannot really prevent these tools from dumping RAM, as I feel most of them simply don’t watch physical memory. I like to consider this attack as an extension of BYOVD attacks (Bring Your Own Vulnerable Driver)
防御 :在撰写本文时,我还没有遇到特定的 EDR 技术,该技术具有针对 Windows 故障转储生成的默认策略。我在参与和个人测试中遇到的 EDR 从未阻止在目标磁盘上写入 DumpIt,也从未阻止生成最终的故障转储文件。由于 RAM 采集工具的签名不会被 EDR 阻止,因此它们永远不会阻止它们获取内存。目标系统上留下的唯一痕迹可能是上述驱动程序的加载。最后,EDR 无法真正阻止这些工具转储 RAM 似乎是合乎逻辑的,因为我觉得它们中的大多数根本不会查看物理内存。我喜欢将此攻击视为 BYOVD 攻击的扩展(自带易受攻击的驱动程序)
Also, LSASS memory is never directly read by DumpIt. And this attack does not consist in dumping one or two critical processes, so EDRs probably end up letting it be without considering it a threat.
此外,DumpIt 永远不会直接读取 LSASS 内存。而且这种攻击并不包括转储一两个关键进程,因此 EDR 可能最终会让它成为威胁,而不会将其视为威胁。
One last thing I like about Forensike is that it operates on a sort of hybrid basis. As Forensike relies on the mimilib.dll extension of mimikatz to extract NT hashes from the crash dump LSASS process, it cannot be written on the target disk, therefore it needs to remain on the attacker machine. On the other hand, retrieving the final crash dump files is too complicated due the size of the file, so it needs to remain on the target machine.
我喜欢 Forensike 的最后一件事是它以一种混合方式运行。由于 Forensike 依赖于 mimikatz 的 mimilib.dll 扩展从故障转储 LSASS 进程中提取 NT 哈希,因此它不能写入目标磁盘,因此它需要保留在攻击者机器上。另一方面,由于文件的大小,检索最终的故障转储文件过于复杂,因此它需要保留在目标计算机上。
In the end, Forensike invokes WinDBG with admin rights over the compromised system, which allows loading the crash dump remotely over SMB, by specifying a UNC path. The debugging process is 100% done remotely (debugged file is still on the target’s disk) while the debugging extension remains on the local attacker machine. The end NT hashes are then written on a txt file on the attacker machine.
最后,Forensike 使用对受感染系统的管理员权限调用 WinDBG,这允许通过指定 UNC 路径通过 SMB 远程加载故障转储。调试过程 100% 远程完成(调试文件仍在目标磁盘上),而调试扩展仍保留在本地攻击者计算机上。然后,将结束 NT 哈希写入攻击者计算机上的 txt 文件。
However, Forensike remains a very situational tool. As it creates crash dumps and plays with full RAM dumps, please consider risks of crashing/drastically slowing down the target machine you try to retrieve lsass memory from. Please do not forget you basically dump the full haystack in order to retrieve a single needle. It can appear as overkill, but it remains free of the EDR obstacle.
然而,Forensike 仍然是一个非常情境化的工具。当它创建故障转储并使用完整的 RAM 转储时,请考虑崩溃/大幅减慢您尝试从中检索 lsass 内存的目标计算机的风险。请不要忘记,您基本上为了取回一根针而倾倒了整个大海捞针。它可能看起来有点矫枉过正,但它仍然没有 EDR 障碍。
For simplicity, I wanted to make it a SharpHound-like tool, as you need to launch the script from a domain user session that has admin rights over the target machine. Once you get your hands on the appropriate account credentials, you can runas /netonly /user:DOMAIN\USERNAME powershell.exe
to start a powershell session that you will launch Forensike from. Or use mimikatz.exe to (Over)Pass-the-hash first and then launch Forensike.
为简单起见,我想让它成为一个类似 SharpHound 的工具,因为您需要从对目标计算机具有管理员权限的域用户会话启动脚本。获得适当的帐户凭据后,可以 runas /netonly /user:DOMAIN\USERNAME powershell.exe
启动将从中启动 Forensike 的 powershell 会话。或者先使用 mimikatz.exe (Over)Pass-the-hash,然后启动 Forensike。
The whole project is written in Powershell and requires some prerequisites :
整个项目是用 Powershell 编写的,需要一些先决条件:
-
WinDBG installed on local machine
安装在本地计算机上的 WinDBG
-
DumpIt executable DumpIt 可执行文件
-
mimilib.dll file mimilib.dll 文件