Hackers Steal Windows Secrets and Credentials Undetected by EDR Detection

A cybersecurity researcher has unveiled a sophisticated new method for extracting Windows credentials and secrets that successfully evades detection by most Endpoint Detection and Response (EDR) solutions currently deployed in enterprise environments.

The technique, dubbed “Silent Harvest,” leverages obscure Windows APIs to access sensitive registry data without triggering common security alerts.

The breakthrough represents a significant advancement in red team operations and highlights critical gaps in how security solutions monitor system activities.

Unlike traditional credential harvesting methods that are increasingly detected and blocked by modern defenses, this approach operates entirely in memory without creating telltale artifacts that EDR products typically monitor.

Credential Harvesting Detection Rises

Traditional Windows credential extraction techniques have become increasingly unreliable as security solutions have evolved.

Most existing methods rely on well-known approaches such as creating backup copies of sensitive registry hives, enabling remote registry access, or directly interacting with the heavily monitored Local Security Authority Subsystem Service (LSASS) process.

The Windows Local Security Authority manages credentials through two critical components:

• SAM Database: Stores Windows users, groups, and local credentials in encrypted format.
• Security Policy Database: Contains cached domain credentials, machine keys, and LSA secrets.
• Registry Storage: Both databases correspond to protected SAM and SECURITY registry hives on disk.
• Access Requirements: Standard access typically requires SYSTEM-level privileges for direct registry interaction.

However, accessing these protected registry hives typically requires SYSTEM-level privileges and generates significant forensic evidence.

Current methods often involve creating backup copies of registry hives on disk or enabling remote registry services, both of which leave clear indicators of compromise that modern security tools readily detect.

Modern EDR solutions employ sophisticated detection mechanisms centered around kernel-mode callback routines that monitor critical system events.

These security products register callbacks with the Windows kernel using functions like CmRegisterCallbackEx to receive notifications whenever registry operations occur.

When registry access attempts are made, the kernel provides EDR drivers with detailed context information, including the specific operation type and the full path of the targeted registry key or value.

This allows security solutions to identify suspicious activity targeting sensitive locations such as HKLM\SAM and HKLM\SECURITY.

To maintain system performance, EDR products selectively monitor only the most security-relevant registry operations rather than tracking every system event.

This focused approach enables them to detect credential harvesting attempts while minimizing performance impact on normal system operations.

Silent Harvest via Windows APIs

The new Silent Harvest method circumvents both access control restrictions and EDR detection by combining two underutilized Windows APIs.

The technique uses NtOpenKeyEx with the REG_OPTION_BACKUP_RESTORE flag, which bypasses normal Access Control List (ACL) checks when the caller has enabled SeBackupPrivilege.

More critically, the method employs RegQueryMultipleValuesW to read registry values instead of commonly monitored APIs like RegQueryValueExW or NtQueryValueKey.

This rarely-used function appears to have been overlooked by EDR vendors when developing their monitoring rules, allowing it to access sensitive data without triggering security alerts.

Testing across multiple EDR platforms confirmed that RegQueryMultipleValuesW calls against highly sensitive registry values generated zero security alerts.

The entire operation occurs in memory without creating registry hive backups or calling frequently-monitored APIs, making detection extremely difficult with current security solutions.

This research underscores the ongoing cat-and-mouse game between security researchers and defensive technologies, highlighting how overlooked system functionality can provide new avenues for bypassing established security controls.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!