Adding regsecrets and dpapidump

[laxaa]

Hello there, this PR includes two different scripts.

regsecrets.py:

This script is a modification of secretsdump.py that uses a different technique to extract registry secrets (the logic regarding DCSync operations has been removed). It does not write files on the disk and does not perform reg save like operations. This allow recovering the SAM database and the LSA secrets while being less prone to detection by security product.
All required keys are accessed using registry queries. To access keys within the SAM and SECURITY hives, the dwOption of BaseRegOpenKey allows passing the REG_OPTION_BACKUP_RESTORE value to disable any ACL checks performed, thus, allowing to access these registry keys normally restricted to the SYSTEM user.
One may wonder why not integrating these changes in the original secretsdump.py. From my point view, the original script already integrates a high number of cases and I was afraid of making its logic even more bloated than its currently is, making testing of every case very complicated and increasing the risk of bugs. However, if the maintaining team thinks it's better to integrate this new extraction logic into the original script, I could give it a go.

dpapidump.py:

Now in #1917

[LukeLauterbach]

Independently tested on Windows 11 and Server 2022 without issue. Although tests were performed on devices with base Defender, which doesn't even catch SecretsDump, so take it with a grain of salt.

[mpgn]

We could easily integrate this to nxc @NeffIsBack !!!

Nice work @laxaa 💪

[NeffIsBack]

Looks really nice!

[Dfte]

Just tested againt top tier EDR, works like a charm. Great job bro!

[anadrianmanrique]

Hi @laxaa, thank for the great new features you add in this PR.
Regarding regsecrets.py I think it's ok to have it, for now, in a separate example, since secretsdump.py has increased so much the number of parameters in the last years. This will help to give the new feature more visibility, I think. We can think later how to better integrate this functionality in secretsdump.py
Regarding dpapidump.py: most of that functionality seems to be already implemented in dploot , which makes me think, this is a reason why #1137 was never merged in first place. I understand this new version makes use of your evasive technique, which will be available in the impacket library once it gets merged, and also available for client projects to be used as well. Thoughts ?

[clavoillotte]

Regarding dpapidump.py: most of that functionality seems to be already implemented in dploot , which makes me think, this is a reason why #1137 was never merged in first place. I understand this new version makes use of your evasive technique, which will be available in the impacket library once it gets merged, and also available for client projects to be used as well. Thoughts ?

dpapidump.py offers an alternative and stealthy way to perform a specific task.

While dploot implements a similar functionality - amongst other things - and may or may not be adapted in the future to implement the stealthier registry dump technique, it performs actions in its own way, with differences that could be relevant for pentesters / red teamers (e.g. retrieving all master keys vs only the one needed to decrypt a specific credential).
I not saying one is better than the other of course, both are useful, and having alternatives is better than having only one tool / one way to perform that task, especially when trying to evade AV/EDR.
In our assessments we use both dploot and (an internally maintained version of) SystemDPAPIdump.py.

As for the reason #1137 was never merged, given it predates dploot by over a year (and its SCCM feature by 3), this has probably less to do with that - at least initially - and supposedly more with the lack of people/time to manage incoming requests at the time and/or a lack of perceived interest in the features - which maybe I could have done a better job explaining at the time.

Anyway, having an example/reference implementation of the technique - for projects that want to implement it - that's also useful as a standalone tool seems like a good thing IMHO, even when trying to ignore my obvious bias :)

[laxa]

Hello, I am using my primary account to answer, I don't have any specific thoughts about dpapidump.py but I agree with what @clavoillotte said and I'll leave it to you to decide what's best. As of right now, the script only retrieved the required masterkeys and perform more requests (taken from SharpSCCM) but it indeed performs as dploot.

[anadrianmanrique]

@clavoillotte thanks for the feedback!
@laxaa ok, I think the best would be move dpapidump.py to a separate PR and continue the review/discussion there. In that way we could move forward and have regsecrets.py merged. Thanks

[laxaa]

I have split made dpapidump.py PR into #1917

[anadrianmanrique]

merging regsecrets.py, thanks!

[mpgn]

Thanks @anadrianmanrique !

PR open on NXC Pennyw0rth/NetExec#599