Dumping Lsass with trusted processes

In today's blog we will go through some points like:

What is LSASS
Why LSASS
LSASS Dumping Techniques
ASR Rules
Proof of Concept
Demo
References

What is LSASS

LSASS (Local Security Authority Subsystem Service) is the process on Microsoft Windows that handles all user authentication, password changes, creation of access tokens, and enforcement of security policies. This means the process stores multiple forms of hashed passwords, and in some instances even stores plaintext user passwords. So with that we can undetstand that Lsass is very important process. We can find the lsass process in task manger -> Details -> lsass.exe:

LSASS contains valuable authentication data such as:

encrypted passwords
NT hashes
LM hashes
Kerberos tickets
Cleartext credentials (if wdigest is enabled)

Why LSASS?

Adversaries or attackers commonly abuse the Local Security Authority Subsystem Service (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory.

LSASS Dumping Techniques

There are several techniques and tools to dump lsass such as:

Task Manager
Procdump
comsvcs.dll
Mimikatz
PPLdump
HandleKatz
nanodump
safetykatz
.......

ASR Rules

Attack surface reduction rules (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. ASR can help detect and prevent targeted exploits. By restricting the ways in which attackers can infiltrate a system, ASR provides an additional layer of defense against cyber threats. Below picture we can see all ASR rules and GUID

Proof Of Concept

So now, After we understand what is lsass and why it's important for the attackers. Now we will go from the attacker's side to see how to exploit it and extract the information. When we try the above techniques Microsoft defender will flag it as malicious because the ASR rule prevents untrusted processes from having direct access to LSASS memory. The picture below explains the Lsass ASR rule:

After we understand the above rule now our goal is finding a process that is trusted for direct access. After searching on the internet, I found an interesting repository on github that contains all the ASR rules:

GitHub - HackingLZ/ExtractedDefenderGitHub

Then we go for Lsass rule (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) page to read the rule. Below picture shows the rule Name,Description and GetMonitoredLocations.

So, it functions by filtering the handle returned from OpenProcess to remove read access to the process memory, this preventing its content from being dumped. But at the same time, we found GetPathExclusions that contain all the processes that are excluded to have direct access to the LSASS process.

And also, we can do it in the manual way. First we need to locate the Defender signature files. And we can find these in the following location: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup

In our case, we are primarily interested in the mpasbase.vdm file that contain signatures, emulation resources, etc. Then we use this tool to extract it:

GitHub - hfiref0x/WDExtract: Extract Windows Defender database from vdm files and unpack itGitHub

Then we will have mpasbase.vdm.extracted file. After that, we opened the extracted file in HxD to search for the GUID of the ASR rule that we wanted to investigate and in our case we searched for Lsass rule (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2):

And in the picture below we see all the excluded programs for Lsass ASR rule:

After we find and understand what we need now, it's time to let one of these processes access Lsass and dump it. But how will this happen? We will use (Process Hollowing) technique.

Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code.

You will be wondering why we create a process in a suspended state ? The idea here is to launch a legitimate process, then replace the content of the process with malicious code and then resume it. The picture below is a simple example for the technique:

To achieve this with Process hollowing, we will create a program with the below windows APIs and we will use Lsass dumping shellcode but encrypted with XOR and decrypted when it's running: