As businesses evolve to achieve higher security maturity, threat actors and penetration testers must also rise to the challenge. Modern third-party security applications such as Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Windows Defender products, and application allowlists have made offensive tools obsolete. Gone are the days when all a penetration tester needed was a remote shell or desktop connection to extract user data and credentials from local machines and domain controllers. Instead of fighting against signature-based and obfuscation methods, attackers are turning to digital forensics incident response (DFIR) tools, like KAPE, to get the dirty work done for them. After all, you never have to sneak into the party if the bouncer thinks you’re already on the list.
Developed by Kroll, KAPE (Kroll Artifact Parser and Extractor) is a DFIR tool typically used by digital forensic analysts to investigate, analyze, and recover digital evidence to support legal proceedings or investigations. In Kroll’s description, KAPE is a “triage program that will target essentially any device or storage location, find forensically useful artifacts, and parse them within a few minutes.” In other words, KAPE can extract and parse Windows forensic artifacts on a live system, mounted image, or F-response utility. In layman’s terms, KAPE will target, analyze, parse, and copy any file or folder from any system where the user has elevated privileges.
Since KAPE is a well-known DFIR tool, it should come as no surprise that Microsoft and other 3rd party security products do not particularly raise an eyebrow when it is installed and used. While its intended purpose was for the tool to target digital evidence for investigators, attackers can also use these functions to extract and copy sensitive data such as the SYSTEM, SAM, and SECURITY files from a local machine. These three files are all an attacker needs to extract any locally cached secrets, cleartext passwords, and/or NTLM password hashes from the local machine to be cracked.
Once on a machine, an attacker can use the user-friendly GUI (gkape) or the command line version to target the C drive directory and any registry hive files within it. In the figure below, we have set the ‘Target source’ to the C drive and our ‘Target destination’ (Output file to store the copies of our targets) to C:\Temp\. All file names pertaining to the registry will be selected under the ‘Targets’ parameter.
Upon pressing ‘Execute’, KAPE will gather all the target files we’ve selected, parse them, and save copies of them to our set ‘Target destination’ location. A command line terminal will pop up showing the progress of this process once the tool has started gathering the targets.
All an attacker must do once the process is completed is travel to the ‘Target destination’ (set to the C:\Temp\ directory in this example) and use their own preferred method for exporting the data to their attacker machine. After this, a simple extraction of password data using Impacket’s Secretsdump and the stolen SAM, SECURITY, and SYSTEM files will produce any cached passwords from within that machine’s local SAM as well as any LSA secrets. The type of password information stored on that machine will determine how terrible of a day you’ll end up having. These passwords and user information can be used to move laterally through a network or even escalate privileges to find bigger and better targets.
The next big question is, what can we do to mitigate or stop these types of DFIR tools in their tracks? First and foremost, if you aren’t already utilizing digital forensic tools as a part of your routine security routine, it’s best to block them from running entirely. Altering your application's allow list rules and parameters can help stop these types of applications from running until you know they will be used in your environment. Monitoring and auditing read handle events to LSASS and SAM are also another way to catch this type of activity from any application. Read handle to LSASS can be logged under Windows event 4656, and “Suspicious SAM Hive Handle” can also be watched for activity.
The weaponization of digital forensics incident response (DFIR) tools like KAPE poses a significant threat to businesses and their security measures. These tools, originally designed for legitimate investigative purposes, can now be used by attackers to extract sensitive information and escalate privileges within a network. The ease of use and lack of suspicion surrounding these tools make them an attractive choice for threat actors. To mitigate the risks associated with DFIR tools, businesses should consider blocking them from running entirely and implementing monitoring and auditing measures to detect any suspicious activity. By staying proactive and vigilant, businesses can better protect themselves against this evolving threat landscape. Contact our team to learn more about how you can stay secure!
