Cyber security

Blindsight : Advanced Techniques In Red Teaming And LSASS Memory Exploitation

Blindsight is a red teaming tool designed to dump LSASS (Local Security Authority Subsystem Service) memory on Windows systems, bypassing basic countermeasures.

It utilizes the Transactional NTFS (TxF API) to transparently scramble the memory dump, which helps avoid triggering antivirus, endpoint detection and response (EDR), and extended detection and response (XDR) systems.

Functionality

  1. LSASS Memory Dumping: Blindsight allows users to dump the LSASS process memory. This is crucial for extracting credentials, as LSASS stores sensitive information such as passwords and Kerberos tickets.
  2. Memory Dump Scrambling: The tool uses the TxF API to scramble the memory dump. This technique is employed to evade detection by security software, which often looks for unencrypted or clear-text memory dumps.
  3. Cross-Compilation: Blindsight can be cross-compiled on macOS for Windows targets using tools like mingw-w64 and rustup. This allows developers to build the tool on non-Windows platforms.
  4. Usage: The tool is executed from an Administrator’s PowerShell window. Users can either dump LSASS memory directly or unscramble a previously dumped file.
  • Dump LSASS Memory: Running .\blindsight.exe will dump the LSASS memory.
  • Unscramble Memory Dump: Running .\blindsight.exe <file_to_unscramble.log> will unscramble a previously dumped file.

Blindsight has been tested on various Windows platforms, including Windows 10, Windows 11 (both x64 and ARM64), and Windows Server versions from 2016 to 2022.

The developers have outlined several future enhancements, including optimizing memory usage, encrypting strings locally, and implementing fileless exfiltration channels.

Blindsight is a powerful tool for red teaming exercises, providing a stealthy method to extract sensitive information from Windows systems.

Its ability to evade detection makes it a valuable asset for security testing and penetration testing scenarios. However, users should exercise caution and avoid testing it on production servers due to potential system instability risks.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

cp Command: Copy Files and Directories in Linux

The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…

1 week ago

Image OSINT

Introduction In digital investigations, images often hold more information than meets the eye. With the…

1 week ago

cat Command: Read and Combine File Contents in Linux

The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…

1 week ago

Port In Networking

What is a Port? A port in networking acts like a gateway that directs data…

1 week ago

ls Command: List Directory Contents in Linux

The ls command is fundamental for anyone working with Linux. It’s used to display the files and…

2 weeks ago

pwd Command: Find Your Location in Linux

The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…

2 weeks ago