1 minute read

There is nothing more frustrating than an Antivirus blocking the execution of our tools and/or preventing certain actions to occur, like spawning a shell or blocking our attempts to dump the lsass process.

Modern protections such as EDR will surely block these types of attacks by hooking some API’s and/or monitoring software behavior based on user actions. There are some bypasses that an operator can try (E.g Hell’s Gate) but instead of coding a complex piece of software, it’s possible to try a simpler approach.

Here it’s shown a tool that I have been using when the LSASS Dump fails or gets blocked: Magnet RAM Capture (There is no need to install). LINK

Magnet RAM Capture is a forensic tool to dump volatile memory. It will dump ALL the memory to a file, afterwards it’s possible to grab the contents of this dump such as registry hives, passwords, processes, windows info and so on.

The tool will output a raw file, to analyse it, I have been using volatility3, version 2 also works, but there are some Windows builds that I could not make it work, so I stick with version 3.

MAGNETIC

To use it, just execute and click in START, this tool is not considered malicious because is a trusted tool used in legit forensic activities.

ANTISCAN

In this demonstration, I am using an Windows 10 fully updated with Kaspersky Endpoint Protection fully active and an industry EDR with all the modules activated.

Inspecting windows info

python3 vol.py -f /home/kali/Documents/memory_analysis.raw windows.info

windows_info

Grabbing the hashes with volatility

python3 vol.py -f /home/kali/Documents/memory_analysis.raw hashdump

hashdump

Volatility offers alot of options to analyse the dump:

  • Grab processes
  • Network Connections
  • Cache Dump (Domain Credentials)
  • Dump Processes

I recommend you to read the documentation and choose the options that fits your needs during the engagement.

The only drawback about this tool is the size of the raw, it will match the size of the RAM, so if you have a computer with 32GB of ram, the dump file will be 32 GB in size, it can be really difficult to download the file or put it somewhere to analyze, but it all depends on the case and situation.

Tags:

Categories:

Updated: