June 15, 2020
When the United States Army asked us if Arsenal Image Mounter’s Windows authentication bypass could be extended to handle domain accounts protected by smart cards, we were not sure it would be possible… but we knew if it could be done, it would be our team to do it.
After three months of working on the Army’s request, not only have we accomplished the mission, but we have gone much further. AIM’s new Windows authentication bypass now handles deleted local accounts, accounts using more forms of alternative authentication (including PINs, biometrics, pictures, and smart cards), accounts impacted by hardened policy, and domain accounts in problematic states such as disabled, deleted, and on workstations disjoined from their domains. As before, supported Windows account types supported are Local, Microsoft (cloud), Active Directory, and Azure Active Directory. As far as we know, there are no other tools which offer Windows authentication bypass nearly this powerful.
We have added more features in v3.2.126 beyond our new Windows authentication bypass. AIM’s Volume Shadow Copy mounting now provides a list of VSCs (with associated timestamps) so that any combination of VSCs can be mounted in either native or Windows file system driver bypass modes.
AIM no longer uses CD/DVD-ROM emulation for Windows file system driver bypass, VSC mounting, and (optionally) archive mounting. One of the immediate benefits is that path length limitations are no longer an issue.
Another new feature, “Create new image file”, creates and mounts a new disk image file with an NTFS partition.
A new RAM disk feature has been added which uses dynamic memory allocation (memory allocated as files are added to the RAM disk and deallocated when files are deleted) and a VHD image as a template for the new disk. The contents of the VHD will be on the RAM disk when it is created, but the VHD will not be modified when the contents of the RAM disk change. These RAM disks can then be attached to virtual machines, saved to any of AIM’s supported disk image formats, and more. We are sure that our customers will find creative ways to use this new feature!
We have made attaching “physically” mounted objects to the virtual machines launched by AIM easier with the new “Attach to existing virtual machine” feature. If you attach an AIM-mounted disk image, AIM-created RAM disk, or VHDX, you will be asked to place the object offline so that the virtual machine has exclusive access to it. If you attach a folder or archive mounted by AIM with CD/DVD-ROM emulation, you will not need to place the object offline (but please note it will be read only) as that concept is not relevant to CD/DVD-ROM emulation.
While not a new feature per se, we have been experimenting lately with using PowerShell Direct to interact with the virtual machines launched by AIM. Using PowerShell Direct (if both the host and virtual machine are running Windows 10 or Windows 2016) allows you to run PowerShell commands such as Copy-Item and Enter-PSSession against a virtual machine, regardless of its network or remote management settings. Copy-Item is somewhat self explanatory and Enter-PSSession allows you to run commands within the virtual machine. See https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/powershell-direct for more information. Please note that PowerShell will ask for credentials of the account within the virtual machine that you are interested in, which you must provide as DOMAIN\USER or COMPUTER\USER. You do not need to enter a password if AIM has already performed Windows authentication bypass… but please note that even though you do not need to provide a password, PowerShell Direct still requires that the account originally had one.
Here you can see PowerShell Direct in action, copying a file to the host from a SANS Windows 10 workstation launched into a VM by AIM:
Copy-Item -FromSession (New-PSSession -VMName AIM_base-rd01-cdrive.e01_5E3437D9) -Path “c:\users\tdungan\documents\demon core.pdf” -Destination c:\users\administrator\desktop
And here you can see a PowerShell session established with the VM, so the command run in PowerShell on the host are actually run within the VM:
Enter-PSSession -VMName AIM_base-rd01-cdrive.e01_5E3437D9
Finally, you will find that v3.2.126 has updated readmes, updates to the AIM Virtual Machine Tools interface, additional antivirus evasion within the virtual machines launched by AIM, improved performance, and other minor improvements.
We hope you enjoy this latest version of AIM, and please let us know what you would like to see in future versions!
You have followed your standard operating procedure and obtained a forensic image from a laptop’s solid state drive. After making a working copy of the forensic image you open it in one of your digital forensics tools… but there’s a problem.
While we recommend that Hyper-V and AIM be run on “bare metal” (particularly when launching virtual machines), we have recently heard from our customers that they have successfully run both Hyper-V and AIM within VMware.
This article will briefly summarize the features of AIM’s Free and Professional Modes, explain the requirements for running AIM, and demonstrate how to launch virtual machines and mount Volume Shadow Copies (VSCs) from AIM-mounted disk images.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
or (617) 277-3625
Terms & Conditions