Blindsight : Advanced Techniques In Red Teaming And LSASS Memory Exploitation

Blindsight is a red teaming tool designed to dump LSASS (Local Security Authority Subsystem Service) memory on Windows systems, bypassing basic countermeasures.

It utilizes the Transactional NTFS (TxF API) to transparently scramble the memory dump, which helps avoid triggering antivirus, endpoint detection and response (EDR), and extended detection and response (XDR) systems.

Functionality

1. LSASS Memory Dumping: Blindsight allows users to dump the LSASS process memory. This is crucial for extracting credentials, as LSASS stores sensitive information such as passwords and Kerberos tickets.
2. Memory Dump Scrambling: The tool uses the TxF API to scramble the memory dump. This technique is employed to evade detection by security software, which often looks for unencrypted or clear-text memory dumps.
3. Cross-Compilation: Blindsight can be cross-compiled on macOS for Windows targets using tools like mingw-w64 and rustup. This allows developers to build the tool on non-Windows platforms.
4. Usage: The tool is executed from an Administrator’s PowerShell window. Users can either dump LSASS memory directly or unscramble a previously dumped file.

• Dump LSASS Memory: Running .\blindsight.exe will dump the LSASS memory.
• Unscramble Memory Dump: Running .\blindsight.exe <file_to_unscramble.log> will unscramble a previously dumped file.

Blindsight has been tested on various Windows platforms, including Windows 10, Windows 11 (both x64 and ARM64), and Windows Server versions from 2016 to 2022.

The developers have outlined several future enhancements, including optimizing memory usage, encrypting strings locally, and implementing fileless exfiltration channels.

Blindsight is a powerful tool for red teaming exercises, providing a stealthy method to extract sensitive information from Windows systems.

Its ability to evade detection makes it a valuable asset for security testing and penetration testing scenarios. However, users should exercise caution and avoid testing it on production servers due to potential system instability risks.