Login

u/Infosecsamurai

Why Upload When You Can Steal with VmKatz
▲ 12 r/redteamsec

Why Upload When You Can Steal with VmKatz

VMkatz – Extract Windows Credentials Directly from VM Snapshots & Virtual Disks (Purple Team Walkthrough)

In this episode of The Weekly Purple Team, I walk through VMkatz (https://github.com/nikaiw/VMkatz), a ~2.5 MB static Rust binary that extracts Windows credentials directly from VM memory snapshots and virtual disks in place — no exfil required. Drop it on the ESXi host, the Proxmox node, or the NAS and walk away with NTLM hashes, Kerberos tickets, DPAPI master keys, LSA secrets, and full NTDS.dit dumps.

🔴 Red Team covered:

  • Deploying VMkatz as a static musl binary directly on ESXi (no dependencies)
  • Extracting LSASS credentials from a .vmdk
  • Auto-discovery mode — point it at a VM folder and let it find everything

🔵 Blue Team covered:

  • Detecting suspicious binary execution on ESXi hosts via syslog events
  • SIEM detections for anomalous execution and malicious changes to ESXi systems

MITRE ATT&CK: T1003.001 (LSASS Memory) | T1003.002 (SAM) | T1003.003 (NTDS) | T1078 (Valid Accounts)

https://youtu.be/iqrXbWENfY0

youtu.be
u/Infosecsamurai — 7 days ago