Link to an article that goes into great technical detail about the concept I stumble across in my experiment: https://www.orangecyberdefense.com/global/blog/cybersecurity/bypassing-edr-to-dump-lsa-secrets
This article is written to record the first time I found something new by myself through diving deeper, trying harder and synthesizing ideas. This had led me to stumble across newest research and it had been extremely motivating for me.
For those who know me, it’s no secret that I love digging into the fundamentals and avoid blackbox ideas as much as possible. As a Kinesthetic learner (learn the best through tinkering), I thrive on understanding the underlying mechanics and processes in detail. And when it comes to cybersecurity, my curiosity often leads me down many rabbit holes.
This particular journey began with my grudge with the Windows OS. Since I find myself less comfortable with pwning Windows Systems from the OSCP exam, I decide to set aside some time before 2025 to solidify my fundamentals and dive into each attack I learnt as detail as possible. I also took this opportunity to learn what is done by the Blue Team to mitigate them.
LSA secret dumping have a special place in my heart, as my first contact with it in some of the attack boxes/CTF, be it through reg saving or dumping through Mimikatz, made me feel powerful as it is the crown jewel for many local systems. As a challenge to myself, I decide to work on my understanding to the entire process and identify what specifically may trigger alert.
To test this, I set up a testing environment with EDR installed. I create a scenario where an attacker was assumed to have obtained Local Administrator account. The objective was simple, if alerts are trigger, create my own theory on why and hopefully, as a bonus, find a way to extract these files without triggering any alert.
Without a doubt, the techniques for LSA secret dump I learnt from OSCP all triggered the alert. This is very logical for security solutions to have answers to these techniques, as those tools and certain commands are widely known by the community.
Recalling from another concept I learnt, living off the land attacks often give solutions the biggest headache to detect. Following this idea, I decide to break down the steps and started looking for alternative ways to manually interact with the SAM, SYSTEM and SECURITY files.
I decided to go on the GUI version of reg.exe and it provided me with more functionality I previously didn’t know about but seemed very promising. I realise that using the export function, if I am not exporting hive file format (which can trigger alerts), and exported to .reg files instead, EDR will not be triggered!
At this point, I verify that reg files contain the information required for dumping as they can be used to import registry information. There were also scripts to convert .reg files back into hive files! I couldn’t help but feel like I’d discovered something new. I stopped here and started looking on the web to see if anyone have documented this strange interaction.
It was then when I stumbled across a very in-depth article which already reported on this 3 months ago by Aurélien Chalot (Article linked above)! The article even went the extra mile to actually extract the credential from the files, debug an issue when dumping the keys through a very clever use of print function. (Read the article for the exact details!)
I was humbled by the level of detail and clarity in the article. In his article, I particularly enjoyed the part where he deduce why the attack works and his insight on why it can be difficult for blue team to monitor. As Aurélien mentioned in the article, as one “should have multiple tools that do a simple task” to avoid detection, very solid fundamentals and deep understanding to processes are evermore important for red teamers to help enterprises to find loop holes before malicious actors.
All in all, it is a very magical moment to experience when my idea is validated and align with a proven novel approach. This will be a fond memory when I look back at my cyber security journey down the road. And as I continue to explore new concepts and techniques, I’m excited to see where they will take me next – which, I must admit, feels highly addictive!