Windows credential dumping is a common attacker technique that involves dumping passwords, hashes, and tickets from the Local Security Authority process’s (LSASS) memory to facilitate lateral movement. Tools such as Mimikatz and ProcDump have enabled adversaries to dump credentials with relative ease, which has made defending against this type of attack a critical component of securing a host. In response, Microsoft has raised the bar by implementing countermeasures such as allowing LSASS to run as a protected process, preventing traditional memory access techniques. Not to be outdone, attackers are moving to Bring-Your-Own-Vulnerable-Driver (BYOVD) and physical memory dumping as a workaround. Microsoft is mitigating BYOVD attacks by blocking known-vulnerable drivers (default in Win11 22H2), but physical memory attacks remain a concerning gap in the endpoint attack surface.
In this talk, we will discuss virtual vs physical memory and their relation to credential dumping attacks. We’ll then describe Silhouette, a tool to mitigate physical memory credential dumping attacks. We will demonstrate its effectiveness against two common physical memory credential dumping tools. This talk will be accompanied by the release of Silhouette’s source code.