Dumping Lsass with trusted processes
Last updated
Last updated
In today's blog we will go through some points like:
What is LSASS
Why LSASS
LSASS Dumping Techniques
ASR Rules
Proof of Concept
Demo
References
LSASS (Local Security Authority Subsystem Service) is the process on Microsoft Windows that handles all user authentication, password changes, creation of access tokens, and enforcement of security policies. This means the process stores multiple forms of hashed passwords, and in some instances even stores plaintext user passwords. So with that we can undetstand that Lsass is very important process. We can find the lsass process in task manger -> Details -> lsass.exe:
LSASS contains valuable authentication data such as:
encrypted passwords
NT hashes
LM hashes
Kerberos tickets
Cleartext credentials (if wdigest is enabled)
Adversaries or attackers commonly abuse the Local Security Authority Subsystem Service (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory.
There are several techniques and tools to dump lsass such as:
Task Manager
Procdump
comsvcs.dll
Mimikatz
PPLdump
HandleKatz
nanodump
safetykatz
.......
Attack surface reduction rules (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. ASR can help detect and prevent targeted exploits. By restricting the ways in which attackers can infiltrate a system, ASR provides an additional layer of defense against cyber threats. Below picture we can see all ASR rules and GUID
So now, After we understand what is lsass and why it's important for the attackers. Now we will go from the attacker's side to see how to exploit it and extract the information. When we try the above techniques Microsoft defender will flag it as malicious because the ASR rule prevents untrusted processes from having direct access to LSASS memory. The picture below explains the Lsass ASR rule:
After we understand the above rule now our goal is finding a process that is trusted for direct access. After searching on the internet, I found an interesting repository on github that contains all the ASR rules:
Then we go for Lsass rule (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) page to read the rule. Below picture shows the rule Name,Description and GetMonitoredLocations.
So, it functions by filtering the handle returned from OpenProcess to remove read access to the process memory, this preventing its content from being dumped. But at the same time, we found GetPathExclusions that contain all the processes that are excluded to have direct access to the LSASS process.
And also, we can do it in the manual way. First we need to locate the Defender signature files. And we can find these in the following location: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup
In our case, we are primarily interested in the mpasbase.vdm file that contain signatures, emulation resources, etc. Then we use this tool to extract it:
Then we will have mpasbase.vdm.extracted file. After that, we opened the extracted file in HxD to search for the GUID of the ASR rule that we wanted to investigate and in our case we searched for Lsass rule (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2):
And in the picture below we see all the excluded programs for Lsass ASR rule:
After we find and understand what we need now, it's time to let one of these processes access Lsass and dump it. But how will this happen? We will use (Process Hollowing) technique.
You will be wondering why we create a process in a suspended state ? The idea here is to launch a legitimate process, then replace the content of the process with malicious code and then resume it. The picture below is a simple example for the technique:
To achieve this with Process hollowing, we will create a program with the below windows APIs and we will use Lsass dumping shellcode but encrypted with XOR and decrypted when it's running:
So, first in our case we use CreateProcess to lunch (mrt.exe) process with suspended state
Then we query the process using ZwQueryInformationProcess
After that read the bytes from the process using ReadProcessMemory
Now we will copy the shellcode, but first we need to have a shellcode to dump lsass for us and we found it in this blog:
An extra step to evade detection is we use XOR to encrypt the above shellcode:
After XORing our shellcode, we copy it into our program and also use the xor decrypt function to decrypt the shellcode:
Then we write our shellcode using WriteProcessMemory
And the final thing is to resume the thread using ResumeThread
Now it's time to test our program on Windows machine with MD and ASR rule enabled.
In the below demo's we tested our program with two technique:
Locally
Remotely ( without touching desk )
