Offline Memory Forensics With Volatility

Source: Black Hills Information Security, Inc. Author: BHIS URL: https://www.blackhillsinfosec.com/offline-memory-forensics-with-volatility/

1. ONE SENTENCE SUMMARY: Using memory forensics with Volatility on ESXi snapshots enables stealthy credential extraction and domain escalation during engagements.

2. MAIN POINTS:

3. Ben Bowman is a Security Analyst focused on research and tool development at Black Hills Information Security.

4. Attackers often aim to escalate quickly, but memory forensics offers options when typical paths are blocked.

5. Volatility can extract SAM hashes from a VM memory snapshot, aiding privilege escalation.

6. ESXi access allows attackers to take VM snapshots and analyze memory offline.

7. A cracked IPMI hash can lead to ESXi login and access to hosted virtual machines.

8. Instead of noisy probing, attackers can extract credentials from a Windows VM snapshot.

9. Snapshots must include memory to enable effective analysis with Volatility.

10. Volatility3 setup involves cloning the repository and installing dependencies in a Python virtual environment.

11. SAM hashes are extracted using the windows.hashdump.Hashdump plugin on the vmem file.

12. Extracted hashes can be used with netexec to obtain domain account credentials via LSA dumping.

13. TAKEAWAYS:

14. Memory forensics offers stealthy alternatives when traditional privilege escalation fails.

15. Volatility is a powerful tool for extracting sensitive credentials from VM memory.

16. ESXi environments can be exploited by leveraging VM snapshots for offline analysis.

17. Proper snapshot configuration is critical—ensure memory is included.

18. Defending against memory analysis is challenging, making it a valuable technique for red teamers.