The final day… and it’s all about memory. The operating system and some processes’ memory contain secrets, such as password hashes and private keys of X.509 certificates. The value of these is very high, as demonstrated not too long ago by the severity of Cloudbleed and a few years ago by Heartbleed. Knowing how to dump memory can help you defend against it because you can build better defenses when you know what tools are used and which processes may be targeted.
In the tutorial video, Paula demonstrated a few free tools, DumpIt and Volatility. Mimikatz, the in-memory password dumper was also mentioned but not demonstrated. The difference and value of full memory dumps vs. process dumps was clarified too.
During the hands-on part, the goal was to steal a private key from a certificate that had its private key marked as not exportable. Mimikatz and a CQURE-created PowerShell function were used to make that happen. Quite eye-opening to see how easy that was. (Of course, an attacker must already have compromised your system to apply those tools.)
At the end of this five-day challenge, I have spent a little less than five hours (that includes preparing this blog posts and most days completing the hands-on challenge). It was worth it. I learned something new every day, both from watching the video tutorial as well as from completing the hands-on assessment. YMMV, but it was five hours well spent for me. I am thankful for the effort the team at CQURE expended to make this challenge happen.
I look forward to the webinar on May 18 to learn how well I did in the quizzes compared to the other participants. I am afraid my score of 3/5 on Tuesday puts me out of the running for any reward though.
Sven Aelterman 