Hackers Can Exfiltrate Windows Secrets and Credentials Silently by Evading EDR Detection

A method to silently exfiltrate Windows secrets and credentials, evading detection from most Endpoint Detection and Response (EDR) solutions.

This technique allows attackers who have gained an initial foothold on a Windows machine to harvest credentials for lateral movement across a network without triggering common security alerts.

How Windows Manages Secrets

The Local Security Authority (LSA), running within the lsass.exe process, is the core Windows component responsible for managing sensitive information. The LSA uses two in-memory databases that correspond to on-disk registry hives:

• SAM database: Manages user, group, and alias objects and corresponds to the SAM registry hive. It stores user credentials, but there is no direct API to retrieve them in plaintext.
• Security database: Manages policy, trusted-domain, account, and secret objects, corresponding to the SECURITY registry hive. This database holds LSA secrets, such as cached domain credentials and machine keys.

While these databases can be managed through RPC interfaces (MS-SAMR and MS-LSAD), they do not offer a simple way to decrypt stored secrets. To access the credentials and secrets, direct interaction with the SAM and SECURITY registry hives is necessary.

These hives are protected by Discretionary Access Control Lists (DACLs) that restrict access to accounts with SYSTEM privileges. The sensitive data within them, such as user credentials and machine keys, is encrypted.

Decrypting this information requires additional values from the SYSTEM hive to reconstruct the decryption key.

Attackers commonly use various local and remote techniques to harvest credentials, but modern security tools detect most well-known methods.

Interacting with the lsass.exe process memory, for example, is a high-risk activity that is heavily monitored by EDRs and Windows Defender, often resulting in immediate alerts.

EDR solutions primarily rely on kernel-mode callback routines to monitor system activity. By using functions like CmRegisterCallbackEx, an EDR’s driver can register to be notified by the Windows kernel of specific events, such as registry access.

When a process attempts to read a sensitive key, like HKLMSAM or HKLMSECURITY, the kernel notifies the EDR, which can then block the operation or raise an alert. To manage performance, EDRs typically monitor a select list of high-risk API calls and registry paths, rather than every single system operation.

A New Method for Silent Exfiltration

According to researcher Sud0Ru, who uncovered this technique, a new, two-pronged approach allows attackers to bypass these defenses by leveraging lesser-known Windows internals.

This method avoids creating on-disk backups of registry hives and does not require SYSTEM-level privileges, operating within the context of a local administrator.

1. Bypassing Access Controls with NtOpenKeyEx: The first step involves using the undocumented native API NtOpenKeyEx. By calling this function with the REG_OPTION_BACKUP_RESTORE flag and enabling the SeBackupPrivilege (available to administrators), an attacker can bypass the standard ACL checks on protected registry keys. This provides direct read access to the SAM and SECURITY hives without needing to be the SYSTEM user.
2. Evading Detection with RegQueryMultipleValuesW: Once access is gained, the next challenge is to read the data without triggering EDR alerts. Most EDRs monitor common API calls used for reading registry values, such as RegQueryValueExW. This new technique instead uses RegQueryMultipleValuesW, an API that retrieves data for a list of value names associated with a registry key. Because this function is used less frequently, many EDR vendors have not included it in their monitoring rules. By using this API to read a single value at a time, attackers can extract the encrypted secrets from the SAM and SECURITY hives without being detected.

This combined strategy allows the entire operation to occur in memory, leaving no on-disk artifacts and avoiding API calls that would typically flag malicious activity.

The result is a silent and effective method for harvesting credentials. While decrypting the exfiltrated data is a separate process, this collection technique demonstrates that even mature defensive systems can be circumvented by leveraging overlooked, legitimate functionalities within the operating system itself.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.