PowerMemory: extract credentials from Windows memory
Also in user-land
The method is totally new. It proves that it can be extremely easy to get credentials or any other information from Windows memory without needing to code in C-type languages. In addition, with this method we can modify the user land and kernel land behavior without being caught by antivirus or new defending techniques.
With that being said, this technique implies that the detection is made hard due to the fact that we can do pretty much what we want by sending and receiving bytes.
- it’s fully written in PowerShell
- it can work locally as well as remotely
- it can get the passwords of virtual machines without having any access to them (works for Hyper-V and VMware)
- it does not use the operating system .dll to locate credentials address in memory but a Microsoft Signed Debugger
- it does not use the operating system .dll to decipher passwords collected. PowerMemory maps the keys in the memory and cracks everything by itself (AES, TripleDES, DES-X)
- it breaks undocumented Microsoft DES-X
- it works even if you are on a different architecture than the target architecture
- it leaves no trace in memory
- a pull request is waiting to be integrated in PowerShell Empire (https://github.com/PowerShellEmpire/Empire/pull/298)
- it can manipulate memory to fool software and operating system
- it can write the memory to execute shellcode without making any API call, it only sends bytes to write at specific addresses