Security researcher Julian Peña has unveiled GhostKatz, a formidable new utility engineered to exfiltrate credentials from the LSASS process by directly accessing a computer’s physical memory. The project is hosted publicly on GitHub under the RainbowDynamix moniker, primarily serving the exigencies of information security professionals and Red Team operatives.
GhostKatz weaponizes vulnerable, yet legitimately signed, Windows kernel drivers to facilitate physical memory access via the MmMapIoSpace primitive. This methodology effectively circumvents a myriad of user-mode detection mechanisms, including those designed to intercept conventional LSASS memory dumps. Rather than exploiting novel zero-day vulnerabilities, the instrument leverages publicly disclosed driver flaws, thereby mitigating legal and research-related risks for its practitioners.
The project was co-authored by Erik Esquivel. According to the architects, the initiative was originally conceived as a pedagogical endeavor to deepen their comprehension of kernel-mode exploitation. They cite Outflank’s KernelKatz as a primary inspiration, an elite tool to which they lacked access.
Architecturally, GhostKatz is modular, empowering users to integrate bespoke drivers with memory-reading primitives by augmenting the source code. The current iteration facilitates the exfiltration of logonpasswords and wdigest credentials, orchestrated via an Aggressor Script within a Cobalt Strike Beacon. The authors have intimated that while their private infrastructure automates the discovery and exploitation of such drivers, these proprietary exploits have been omitted from the public release.
The tool has undergone rigorous testing across a spectrum of Windows iterations, including Windows 10 and Windows Server (2012 R2, 2016, 2019, and 2022). However, the developers issue a somber caveat: the utilization of vulnerable drivers inherently risks system instability and may precipitate a Blue Screen of Death (BSOD). Consequently, the deployment of GhostKatz within production environments must be conducted with consummate discretion.