In today's video, I show a way to dump LSASS without dumping just the LSASS process. We are using DFIR tools to dump all of the memory, exfil the file created, and then dump the credentials of the box. This is a foolproof method and will get by almost every EDR solution. You will have to deal with a large file size, but in today's day and age, this isn't as big of a problem as it has been in the past.
WinPmem
github.com/Velocidex/WinPmem/...
Volatility
github.com/volatilityfoundati...
Chapters
00:00 Introduction
00:28 Credential Guard
02:05 WinPmem
04:18 Dumping Memory
05:31 SIEM Rules for Detection of Memory Dumping
07:52 Dumping Creds with Volatility
10:36 Please Turn on Credential Guard! Do IT Now!
10:57 Outro
Негізгі бет Ғылым және технология LSASS Dumping Using DFIR Tools
Пікірлер: 31