x

Files with Sensitive Data

17.9.1 - History Logs

Any command we write with PowerShell, could be saved in the history.
Get history in memory 

Get-History

Get file where the history is saved 

(Get-PSReadlineOption).HistorySavePath

Default location (Windows) 

%UserProfile%\AppData\Roaming\Microsoft\Windows\PowerShell\PsReadLine\ConsoleHost_History.txt

Default location (Linux) 

$HOME/.local/share/powershell/PSReadLine/ConsoleHost_history.txt

Check environment variables for sensitive data (if for some reason WinPEAS didn't catch anything) 

dir env:

The transcript feature is used to keep track of execute commands. if not properly handled, it could hold sensitive data and represent a security risk. Start the transcript and save into a file: 

Start-Transcript -Path "C:\Users\Quickenu\Desktop\Log.txt"

Stop the transcript 

Stop-Transcript

17.9.2 - Security Accounts Manager (SAM + SYSTEM)

The SAM (Security Accounts Manager) file is a critical component of Windows, that stores user account credentials for local accounts.

The SAM file contains various things, such as:

  • Usernames and password hashes
  • Account information
  • Security Identifiers (SIDs)
  • Group Memberships

By default, the SAM file cannot be directly accessed as it's locked by the OS (The LSASS process in Windows does read and log the file still). Sometimes it is possible, however, to find backup copies of it. 

C:\Windows\System32\config

17.9.3 - Security Accounts Manager (SAM + SYSTEM) - Mimikatz to dump LSASS Hashes

We can use Mimikatz to dump the hashes saved within the Local Security Authority Subsystem Service (LSASS). This will dump NTLM hashes. 

mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

. .\mimikatz.ps1

mimikatz.ps1 "privilege::debug" "token::elevate" "lsadump::sam" "exit"

17.9.4 - Security Accounts Manager (Sam & SYSTEM) - SAM Dump with SeBackupPrivilege

https://hacktricks.boitatech.com.br/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens#setakeownershipprivilege-3.1.8
By having SeBackupPrivilege, it's possible to create copies of the SAM and SYSTEM files. The SeBackupPrivilege is a system privilege that allows users or services to back up files. Since some files are locked for various reasons, the privilege allows users or services to bypass normal file security restrictions. It's granted to backup operators, system administrators and trusted backup software.

Since the privilege allows for security restrictions to be bypassed, it introduces a security risk to consider. The privilege should therefore be restricted to only those who strictly need it. To assign a feature to a user, you can assign the user to Backup Operators, which is a group specifically designed for users who need SeBackupPrivilege. 

Add-LocalGroupMember -Group "Backup Operators" -Member "Oscar"

Once we have this privilege, it's possible to copy SAM and SYSTEM files 

reg save hklm\sam C:\Users\emily.oscars.CICADA\Desktop\SAM.hive

reg save hklm\system C:\Users\emily.oscars.CICADA\Desktop\SYSTEM.hive

17.9.5 - Registry Hives

The Windows registry is a hierarchical database structure following a tree-like data structure into registry hives .

Each hive is made up of multiple keys and values and these hives are stored as files on the system. These data sources are very useful for threat intelligence as they can be used as Indicators of Compromise (IOC) for specific malware.

HKEY_CLASSES_ROOT (HKCR) 

C:\Window\System32\Config\Software

HKEY_LOCAL_MACHINE (HKLM) 

C:\Window\System32\Config\SYSTEM

HKEY_USERS (HKU) 

C:\Window\System32\Config\DEFAULT

HKEY_CURRENT_USER (HKCU) 

C:\Window\<username>\Config\NTUSER.DAT

HKEY_CURRENT_CONFIG (HKCC) 

C:\Window\System32\Config\SystemProfile

To explore the contents of a hive, there's the regipy Python package 

python3 -m venv env
source env/bin/activate
pip install regipy

17.9.6 - Configuration Files

Certain locations are often used by applications to store configuration files. 

%AppData%

%LocalAppData%

17.9.7 - Paging File

If paging is enabled, the system will create a pagefile.sys file. Paging is used if the ram is full, a portion of the RAM is saved in this file for later access. This means sensitive data can end up being saved here. 

C:\pagefile.sys

17.9.8 - Hibernation File

When the hibernation feature is enabled, Windows will store the content of the system's RAM in the file hiberfil.sys when the computer is put into hibernation. 

C:\hiberfil.sys
Left-click: follow link, Right-click: select node, Scroll: zoom
x