Living Off the Crash: Weaponizing System-Generated Crash Dumps
Presentations | | Links: Research - SANS Technology Institute | Additional Resources
“A look into how how Windows crash dump files—often ignored in offensive operations—can be weaponized to extract sensitive data like credentials and encryption keys without noisy memory dumping techniques, while also exploring detection strategies for defenders.”
Endpoint protection systems regularly identify credential harvesting and session hijacking attacks, but crash dumps represent an unmonitored attack surface with the potential to contain the same valuable information. Windows crash dumps routinely preserve domain credentials, browser authentication tokens, and sensitive documents from multiple applications and sessions, yet organizations rarely consider their exploitation potential. This presentation demonstrates how offline analysis of these naturally occurring artifacts can lead to intelligence extraction using chained memory analysis tools after initial acquisition without ongoing endpoint interaction or detection.
Working outside established detection methods, this approach leverages crash dumps as “living-off-the-land” resources that bypass established security controls. The technique transforms overlooked system artifacts into valuable offensive capabilities, providing sustained access to organizational intelligence without triggering detection systems.
