Silent Takeover: How Extracting SAM & SYSTEM Hives Evades Every Major EDR + Video

Listen to this Post

Featured Image

Introduction:

In modern red team engagements, direct interaction with the Local Security Authority Subsystem Service (LSASS) process is a high-risk operation guaranteed to trigger Endpoint Detection and Response (EDR) alerts. An advanced technique shifting the focus to offline extraction and decryption of the SAM, SYSTEM, and SECURITY registry hives presents a stealthier alternative for credential access. This method, as demonstrated in a recent penetration test, successfully bypassed core memory scanning defenses of leading EDR platforms including Microsoft Defender, SentinelOne, and Cortex XDR.

Learning Objectives:

  • Understand the technical rationale for targeting registry hives over the LSASS process for stealth.
  • Learn the step-by-step methodology for live extraction of critical hives under the nose of EDR.
  • Master offline techniques to decrypt extracted hashes and gain usable credentials.

You Should Know:

  1. The Anatomy of Windows Credential Stores: LSASS vs. Registry
    While LSASS contains valuable cached domain credentials and plaintext secrets, it is the most monitored process in Windows. The SAM hive stores local account NTLM password hashes, the SYSTEM hive holds the boot key necessary to decrypt them, and the SECURITY hive may contain cached domain logon information. By extracting these files from disk rather than memory, you avoid the common API hooks and suspicious process operations that EDRs flag.

Step-by-Step Guide: Live Hive Extraction on a Compromised Host
The goal is to copy these locked files using built-in Windows utilities that blend with administrative activity.

Using Native `reg` Utility:

reg save HKLM\SAM C:\Windows\Temp\sam.save
reg save HKLM\SYSTEM C:\Windows\Temp\system.save
reg save HKLM\SECURITY C:\Windows\Temp\security.save

Using Volume Shadow Copy Service (VSS): This is often less suspicious as it’s a standard backup mechanism.

vssadmin create shadow /for=C:
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Temp\sam.save
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\system.save
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY C:\Temp\security.save
vssadmin delete shadows /for=C: /quiet

2. Exfiltration and EDR Evasion Tactics

EDRs may monitor network egress for known file types. Obfuscation is key.

Step-by-Step Guide:

Rename and Encode: Change file extensions and encode content.

certutil -encode sam.save sam.b64
rename sam.b64 report.txt

Use Common Protocols: Exfiltrate via HTTPS POST requests using PowerShell or staged over SMB/ICMP tunnels.
Living-off-the-Land: Use legitimate IT admin tools like `bitsadmin` or `curl.exe` (if available) for transfer.

3. Offline Hash Extraction and Decryption

With the hives in your controlled environment, you can safely extract credentials.

Step-by-Step Guide using Impacket on Linux:

Extract Hashes: Use `secretsdump.py` with the exported SYSTEM and SAM files.

python3 secretsdump.py -system system.save -sam sam.save LOCAL

Decrypt LAPS Passwords: If the Local Administrator Password Solution (LAPS) is deployed, the encrypted password is stored in the `ms-Mcs-AdmPwd` attribute of the computer object in Active Directory. However, the decryption key is in the SYSTEM hive of that specific host. The same `secretsdump` command will automatically decrypt LAPS passwords if provided with the `-security` hive as well.

python3 secretsdump.py -system system.save -security security.save -sam sam.save LOCAL

4. Bypassing Specific EDR Hook Points

The engagement required tailored evasion for each EDR. The core principle involves identifying and avoiding hooked Windows API calls used by these tools for hive access.

Step-by-Step Conceptual Guide:

Research: Use tools like `Get-ProcAddress` or `WinAPIOverride32` to analyze which RegSaveKey, RegSaveKeyEx, NtSaveKey, or file operations (CreateFile, ReadFile) APIs are hooked by the EDR DLLs.
Alternative Syscalls: Implement direct system calls (syscalls) to make the same requests via the kernel, bypassing user-land hooks. This requires custom shellcode or tools like SysWhispers3.
Abusing Trusted Processes: Inject your hive-save code into a signed, trusted process that is not heavily monitored, such as a `sqlservr.exe` or `msbuild.exe` instance.

5. From Hash to Access: Practical Exploitation

Extracted NTLM hashes are directly usable for various attacks.

Step-by-Step Guide:

Pass-the-Hash (PtH):

crackmapexec smb 192.168.1.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

Cracking with Hashcat: If password reuse is suspected, crack the NTLM hash offline.

hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

6. Defensive Countermeasures and Detection

Understanding the attack is the first step to building defense.

Step-by-Step Hardening Guide:

Enable Advanced Auditing: Audit registry access to `HKLM\SAM` and `HKLM\SECURITY` (Event ID 4657). Monitor for `reg.exe save` or `vssadmin` commands from non-admin users or unusual processes.
Deploy Credential Guard: On Windows 10/11 Enterprise, enable Credential Guard via Device Guard. This uses virtualization-based security to isolate LSASS and protect derived credentials, making hash extraction from the registry less valuable.
Application Control: Use Windows Defender Application Control or similar to restrict execution of tools like `reg.exe` and `vssadmin.exe` to specific, signed paths used by legitimate admin workflows.

What Undercode Say:

  • Stealth Over Breadth: This technique trades the richer credential yield of LSASS dumping for significantly higher operational security. It is ideal for prolonged engagements where avoiding detection is paramount.
  • The LAPS Caveat: As noted in the expert discussion, this method’s value can diminish if LAPS is implemented and local admin rights are restricted, as the local hashes may be unique and not reusable elsewhere. However, the SECURITY hive can still yield cached domain data, and the technique remains a formidable stealth tool.

The dialogue between offensive practitioners highlights a critical operational calculus: the choice between “potential stored (encrypted) credentials offline and stay off the radar” versus the more comprehensive but noisy LSASS dump. This hive extraction method capitalizes on a fundamental security gap—EDRs are overwhelmingly focused on runtime memory protection and behavioral anomalies, while offline file access and subsequent decryption on an attacker-controlled system falls outside their typical detection scope. Its success against a suite of top-tier EDRs proves that defense-in-depth must extend to monitoring and protecting critical registry files with the same rigor applied to LSASS.

Prediction:

This technique will catalyze a defensive shift, pushing EDR vendors to develop deeper heuristics around registry hive access patterns and Volume Shadow Copy creation for non-backup purposes. In response, red teams will further weaponize legitimate Microsoft signed binaries (Living-off-the-Land Binaries) or develop kernel-level drivers to silently pull hives. The arms race will increasingly move into the space of trusted, signed software and low-level disk operations, making application control and kernel-mode integrity monitoring the next critical battlegrounds for enterprise security.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Yesiamdollar Offensivesecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky