Welcome back, aspiring cyberwarriors!
In real-world engagements, it is not uncommon to encounter environments protected by advanced security solutions. These may include endpoint detection and response platforms or traditional antivirus systems that are deeply integrated into the infrastructure. At first glance, gaining administrative privileges on a machine might seem like a major milestone. However, many modern security solutions are designed in such a way that even local or domain administrator rights are not enough to disable them. This is because they are often centrally managed from a dedicated system, sometimes located outside of the domain itself. These systems act as a form of command center, very similar in concept to a command-and-control server. From this central point, administrators can deploy updates, run scripts and execute commands across all connected endpoints that have the agent installed.
In well-designed environments, these central systems are intentionally separated from the main domain. They may run on hardened Linux servers or isolated Windows systems with entirely different credentials. This separation is specifically implemented to make lateral movement significantly more difficult for an attacker who has already gained access to the internal network. On top of that, access to these management consoles is often restricted through web interfaces protected by authentication, adding yet another layer of defense.
This situation can feel overwhelming. You may find yourself inside a network with limited options for escalation, facing security tools that cannot be easily bypassed or disabled. Instead of trying to fight the protection mechanisms directly, we can shift our approach and focus on extracting valuable information from memory. One of the most effective techniques in such scenarios is to capture system memory and analyze it for credentials.
What is DeadMatter
DeadMatter is a specialized tool written in C# that focuses on extracting sensitive information from memory dumps. Its primary strength lies in its ability to recover credentials from different types of memory-related files without relying on traditional live extraction methods that are often blocked by modern security solutions. Instead of depending solely on structured parsing, the tool scans raw data to locate patterns associated with credentials. This allows it to recover information even when the memory dump is incomplete or does not follow a predictable format.
Modern EDR and antivirus solutions are highly effective at detecting attempts to dump the LSASS process directly, especially when tools try to create a minidump in real time. In many environments, these actions are either blocked or immediately flagged. An alternative approach would be to capture a full memory dump and exfiltrate it for offline analysis. The results include NTLM password hashes, DPAPI keys, and other artifacts related to active logon sessions.
Compiling DeadMatter
The repository for DeadMatter does not include a precompiled binary, which means that in most cases you will need to build it yourself. This can be done either through Visual Studio or by using the .NET Framework.
If you choose to compile it yourself, you can clone the repository and execute the build process from PowerShell.
PS > dotnet build -c release
Once the process completes, the compiled executable named Deadmatter.exe will be located in the bin\Release directory. The build process is straightforward and usually completes without issues, assuming the required .NET components are installed correctly.
If you prefer not to compile the tool yourself or encounter problems during the process, using a precompiled version can save time. We uploaded the compiled executable to our GitHub to simplify things for you.
Capturing RAM
Before moving forward, it is important to understand a key limitation of this approach. The technique described here relies on the ability to extract credentials from memory, which is significantly affected by the state of Credential Guard. If Credential Guard is enabled, many of the sensitive credential structures are protected and isolated, making them inaccessible through traditional memory analysis techniques.
In many real-world environments, especially those running Windows 10 Pro or Windows Server versions prior to 2025, Credential Guard is often disabled. These systems are still widely used across corporate infrastructures. Although newer deployments tend to enable it by default.
To avoid unnecessary effort, it is always a good idea to verify the status of Credential Guard before proceeding.
PS > Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
If the result indicates that it is disabled {0}, you can proceed with memory acquisition.
Capturing RAM can be performed using several forensic tools. One of the simplest and most accessible options is FTK Imager. Within the interface, there is a “Capture Memory” option that allows you to create a full memory dump of the system.
You only need to specify a file name and a destination path. The default settings are usually sufficient for this type of operation, so there is no need to modify additional parameters.
Our next step is exfiltration. Modern systems often have large amounts of RAM. Servers commonly operate with 16-32 gigabytes as a baseline, and specialized systems such as Microsoft Exchange servers may have significantly more.
A raw memory dump of this size can be quite large, but compression helps reduce the footprint. In many cases, a 32 gigabyte dump can be compressed down to 8-12 GB, making it more manageable for transfer.
Extracting Credentials
After the transfer is successful, the next step is to extract the credentials. To process a full memory dump in raw format using both structured parsing and carving techniques, you can run the following command:
PS > Deadmatter.exe -f memory_dump.raw
The output generated by the tool can be quite detailed. As you scroll through the results, you may find various credential artifacts associated with active or recently active sessions on the system.
DeadMatter also supports alternative modes of operation that allow you to focus on specific extraction techniques. For example, if you want to rely purely on carving methods, you can instruct the tool to ignore structured parsing and search the raw data directly.
PS > Deadmatter.exe -f memory_dump.raw -m carve
In cases where you are working with a minidump file and want to apply a specific parsing method, the tool allows you to define both the technique and the target Windows version.
PS > Deadmatter.exe -f lsass.dmp -m mimikatz -w WIN_10_1507 -v
There are also more advanced options available. For instance, you can extract both credentials and DPAPI keys while performing additional brute-force operations to locate initialization vectors within the data.
PS > Deadmatter.exe -f memory_dump.raw -b -d
Experimenting with these modes can reveal additional information that may not be visible through a single approach.
How to Defend
To defend against this type of attack, you need visibility into forensic tooling activity across your systems, as well as enabling Credential Guard, which isolates credentials from LSASS memory to help prevent credential dumping and pass-the-hash attacks. Simply blocking all forensic tools is not advisable, as they are often required for legitimate DFIR operations. A more effective approach is to maintain a well-defined whitelist of approved tools. This allows you to clearly distinguish between expected investigative activity and potentially unauthorized or suspicious tool execution.
Summary
In modern environments, security controls such as EDR and centralized management systems make traditional credential extraction techniques increasingly difficult. Simply having administrative access is often no longer enough to bypass these protections. By combining elements of digital forensics with offensive security, we can extract valuable information in ways that avoid direct confrontation with defensive mechanisms. Memory acquisition and offline analysis represent one of the most effective strategies in such situations.
If you’re interested in digital forensics, we recommend our Advanced Digital Forensics training.
Source: HackersArise
Source Link: https://hackers-arise.com/digital-forensics-evading-av-edr-during-credential-extraction-with-deadmatter/