Red Team | Weaponizing Windows Crash Dumps

Описание: Red Team | Living Off the Crash: Weaponizing System-Generated Crash Dumps

🎙️ Jason Mull, Team Lead, Security Operations, Lockstep Technology Group
📍 Presented at SANS Hack & Defend Summit 2025

Endpoint protection systems regularly identify credential harvesting and session hijacking attacks, but crash dumps represent an unmonitored attack surface with the potential to contain the same valuable information. Windows crash dumps routinely preserve domain credentials, browser authentication tokens, and sensitive documents from multiple applications and sessions, yet organizations rarely consider their exploitation potential. This presentation demonstrates how offline analysis of these naturally occurring artifacts can lead to intelligence extraction using chained memory analysis tools after initial acquisition without ongoing endpoint interaction or detection.

Working outside established detection methods, this approach leverages crash dumps as ""living-off-the-land"" resources that bypass established security controls. The technique transforms overlooked system artifacts into valuable offensive capabilities, providing sustained access to organizational intelligence without triggering detection systems.