June 15, 2020
When the United States Army asked us if Arsenal Image Mounter’s Windows authentication bypass could be extended to handle domain accounts protected by smart cards, we were not sure it would be possible… but we knew if it could be done, it would be our team to do it.
After three months of working on the Army’s request, not only have we accomplished the mission, but we have gone much further. AIM’s new Windows authentication bypass now handles deleted local accounts, accounts using more forms of alternative authentication (including PINs, biometrics, pictures, and smart cards), accounts impacted by hardened policy, and domain accounts in problematic states such as disabled, deleted, and on workstations disjoined from their domains. As before, supported Windows account types supported are Local, Microsoft (cloud), Active Directory, and Azure Active Directory. As far as we know, there are no other tools which offer Windows authentication bypass nearly this powerful.
We have added more features in v3.2.126 beyond our new Windows authentication bypass. AIM’s Volume Shadow Copy mounting now provides a list of VSCs (with associated timestamps) so that any combination of VSCs can be mounted in either native or Windows file system driver bypass modes.
AIM no longer uses CD/DVD-ROM emulation for Windows file system driver bypass, VSC mounting, and (optionally) archive mounting. One of the immediate benefits is that path length limitations are no longer an issue.
Another new feature, “Create new image file”, creates and mounts a new disk image file with an NTFS partition.
A new RAM disk feature has been added which uses dynamic memory allocation (memory allocated as files are added to the RAM disk and deallocated when files are deleted) and a VHD image as a template for the new disk. The contents of the VHD will be on the RAM disk when it is created, but the VHD will not be modified when the contents of the RAM disk change. These RAM disks can then be attached to virtual machines, saved to any of AIM’s supported disk image formats, and more. We are sure that our customers will find creative ways to use this new feature!
We have made attaching “physically” mounted objects to the virtual machines launched by AIM easier with the new “Attach to existing virtual machine” feature. If you attach an AIM-mounted disk image, AIM-created RAM disk, or VHDX, you will be asked to place the object offline so that the virtual machine has exclusive access to it. If you attach a folder or archive mounted by AIM with CD/DVD-ROM emulation, you will not need to place the object offline (but please note it will be read only) as that concept is not relevant to CD/DVD-ROM emulation.
While not a new feature per se, we have been experimenting lately with using PowerShell Direct to interact with the virtual machines launched by AIM. Using PowerShell Direct (if both the host and virtual machine are running Windows 10 or Windows 2016) allows you to run PowerShell commands such as Copy-Item and Enter-PSSession against a virtual machine, regardless of its network or remote management settings. Copy-Item is somewhat self explanatory and Enter-PSSession allows you to run commands within the virtual machine. See https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/powershell-direct for more information. Please note that PowerShell will ask for credentials of the account within the virtual machine that you are interested in, which you must provide as DOMAIN\USER or COMPUTER\USER. You do not need to enter a password if AIM has already performed Windows authentication bypass… but please note that even though you do not need to provide a password, PowerShell Direct still requires that the account originally had one.
Here you can see PowerShell Direct in action, copying a file to the host from a SANS Windows 10 workstation launched into a VM by AIM:
Copy-Item -FromSession (New-PSSession -VMName AIM_base-rd01-cdrive.e01_5E3437D9) -Path “c:\users\tdungan\documents\demon core.pdf” -Destination c:\users\administrator\desktop
And here you can see a PowerShell session established with the VM, so the command run in PowerShell on the host are actually run within the VM:
Enter-PSSession -VMName AIM_base-rd01-cdrive.e01_5E3437D9
Finally, you will find that v3.2.126 has updated readmes, updates to the AIM Virtual Machine Tools interface, additional antivirus evasion within the virtual machines launched by AIM, improved performance, and other minor improvements.
We hope you enjoy this latest version of AIM, and please let us know what you would like to see in future versions!
Three months ago I challenged the Arsenal team by suggesting that we could get more creative about how to access protected content in Windows, especially considering Arsenal Image Mounter was already reliably launching disk images into virtual machines and bypassing every type of Windows authentication.
We have been working aggressively for the last month on an extension to our Windows authentication bypass that some of our colleagues in digital forensics will find quite shocking. While we continue this work, we have decided to launch another version of AIM with some new features requested by our customers.
The workflow for launching virtual machines has been significantly improved in Arsenal Image Mounter v3.1.101! You will now see a single dialog box (rather than a series of prompts) which consolidates important options related to launching virtual machines.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
or (617) 277-3625
Terms & Conditions