> For the complete documentation index, see [llms.txt](https://pwn3dx.gitbook.io/lsass-dump/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pwn3dx.gitbook.io/lsass-dump/dumping-lsass-with-trusted-processes.md).

# Dumping Lsass with trusted processes

In today's blog we will go through some points like:

* **What is LSASS**
* **Why LSASS**
* **LSASS Dumping Techniques**
* **ASR Rules**
* **Proof of Concept**
* **Demo**
* **References**

### What is LSASS

LSASS (Local Security Authority Subsystem Service) is the process on Microsoft Windows that handles all user authentication, password changes, creation of access tokens, and enforcement of security policies. This means the process stores multiple forms of hashed passwords, and in some instances even stores plaintext user passwords.\
So with that we can undetstand that Lsass is very important process.\
We can find the lsass process in task manger -> Details -> lsass.exe:

<figure><img src="/files/yhPhZzvMiLu1MQeL6e0V" alt=""><figcaption></figcaption></figure>

LSASS contains valuable authentication data such as:

* encrypted passwords
* NT hashes&#x20;
* LM hashes&#x20;
* Kerberos tickets
* Cleartext credentials (if wdigest is enabled)

### **Why LSASS?**

Adversaries or attackers commonly abuse the Local Security Authority Subsystem Service (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory.

### **LSASS Dumping Techniques**

There are several techniques and tools to dump lsass such as:

* **Task Manager**
* **Procdump**
* **comsvcs.dll**
* **Mimikatz**
* **PPLdump**&#x20;
* **HandleKatz**&#x20;
* **nanodump**&#x20;
* **safetykatz**
* **.......**

### ASR Rules

Attack surface reduction rules (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. ASR can help detect and prevent targeted exploits. By restricting the ways in which attackers can infiltrate a system, ASR provides an additional layer of defense against cyber threats.\
Below picture we can see all ASR rules and GUID

<figure><img src="/files/6SY2boSLzNQLdDY632K8" alt=""><figcaption><p>ASR Rules</p></figcaption></figure>

### Proof Of Concept

So now, After we understand what is lsass and why it's important for the attackers. Now we will go from the attacker's side to see how to exploit it and extract the information. When we try the above techniques Microsoft defender will flag it as malicious because the ASR rule prevents untrusted processes from having direct access to LSASS memory. The picture below explains the Lsass ASR rule:

<figure><img src="/files/sswhJ97G80k31gWu4YfJ" alt=""><figcaption><p>Lsass Rule</p></figcaption></figure>

After we understand the above rule now our goal is finding a process that is trusted for direct access. After searching on the internet, I found an interesting repository on github that contains all the ASR rules:

{% embed url="<https://github.com/HackingLZ/ExtractedDefender>" %}

Then we go for Lsass rule (**9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2**) page to read the rule.\
Below picture shows the rule **Name**,**Description** and **GetMonitoredLocations**.

<figure><img src="/files/ZtoZJD24CjybdtgJeuJo" alt=""><figcaption><p>Information</p></figcaption></figure>

So, it functions by filtering the handle returned from OpenProcess to remove read access to the process memory, this preventing its content from being dumped. But at the same time, we found **GetPathExclusions** that contain all the processes that are excluded to have direct access to the LSASS process.

<figure><img src="/files/LIYAQgSRieYqwDr48N1M" alt=""><figcaption><p><strong>GetPathExclusions</strong> </p></figcaption></figure>

And also, we can do it in the manual way. First we need to locate the Defender signature files. And we can find these in the following location: `C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup`

In our case, we are primarily interested in the **mpasbase.vdm** file that contain signatures, emulation resources, etc. Then we use this tool to extract it:

{% embed url="<https://github.com/hfiref0x/WDExtract/>" %}

Then we will have mpasbase.vdm.extracted file. After that, we opened the extracted file in HxD to search for the GUID of the ASR rule that we wanted to investigate and in our case we searched for Lsass rule (**9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2**):

<figure><img src="/files/YYPI9Yvq2kAqGjU4mZm5" alt="" width="563"><figcaption></figcaption></figure>

And in the picture below we see all the excluded programs for Lsass ASR rule:

<figure><img src="/files/QuG321h7C32IkvsI6YdZ" alt="" width="563"><figcaption><p>#Note: <em>It’s important to keep in mind that the list of paths you may see here in the hex dump are not always exclusions. So</em> You will need to do some testing or you can use the above link to the GitHub repository that includes this already extracted data for you</p></figcaption></figure>

After we find and understand what we need now, it's time to let one of these processes access Lsass and dump it. But how will this happen? We will use **(Process Hollowing)** technique.

{% hint style="info" %}
**Process hollowing** is commonly performed by creating a process in a **suspended** state then unmapping/hollowing its memory, which can then be replaced with malicious code.
{% endhint %}

You will be wondering why we create a process in a suspended state ? The idea here is to launch a legitimate process, then replace the content of the process with malicious code and then resume it. The picture below is a simple example for the technique:&#x20;

<figure><img src="/files/vOxPfpppipDRpYHZm5Wv" alt=""><figcaption></figcaption></figure>

To achieve this with Process hollowing, we will create a program with the below windows APIs and we will use Lsass dumping shellcode but encrypted with XOR and decrypted when it's running:

<figure><img src="/files/Qj4SLLHf7epHHRknyMuJ" alt="" width="375"><figcaption><p><strong>Process hollowing</strong></p></figcaption></figure>

So, first in our case we use CreateProcess to lunch (mrt.exe) process with suspended state

<figure><img src="/files/KlF15fgAe8kdmk6JWcpi" alt=""><figcaption><p>CreateProcess</p></figcaption></figure>

Then we query the process using ZwQueryInformationProcess

<figure><img src="/files/2Qa936xpIluAkNYNbKTm" alt=""><figcaption><p>ZwQueryInformationProcess</p></figcaption></figure>

After that read the bytes from the process using ReadProcessMemory

<figure><img src="/files/Gg6LOHaUFhTwSgwiO7so" alt=""><figcaption></figcaption></figure>

Now we will copy the shellcode, but first we need to have a shellcode to dump lsass for us and we found it in this blog:

{% embed url="<https://osandamalith.com/2019/05/11/shellcode-to-dump-the-lsass-process/>" %}

An extra step to evade detection is we use XOR to encrypt the above shellcode:

<figure><img src="/files/1P28e9Ah4DJCo9rOKTIE" alt=""><figcaption></figcaption></figure>

After XORing our shellcode, we copy it into our program and also use the xor decrypt function to decrypt the shellcode:

<figure><img src="/files/tqJQRCJ44XHQpd4bha70" alt=""><figcaption></figcaption></figure>

Then we write our shellcode using WriteProcessMemory

<figure><img src="/files/57Sv4gRsplFVxUp7Xcwo" alt=""><figcaption></figcaption></figure>

And the final thing is to resume the thread using ResumeThread

<figure><img src="/files/KWJoo2OoCWh53WzlnNjX" alt=""><figcaption></figcaption></figure>

Now it's time to test our program on Windows machine with MD and ASR rule enabled.

### **Demo**

In the below demo's we tested our program with two technique:

Locally

<figure><img src="/files/QL01AHxmElhjgUHvw4UQ" alt=""><figcaption></figcaption></figure>

Remotely ( without touching desk )

<figure><img src="/files/CWoDYnzSKSELK1y48TmY" alt=""><figcaption></figcaption></figure>

### References

{% embed url="<https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service>" %}

{% embed url="<https://www.thewindowsclub.com/what-is-lsass-exe-in-windows-10>" %}

{% embed url="<https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide>" %}

{% embed url="<https://github.com/commial/experiments/tree/master/windows-defender/ASR>" %}

{% embed url="<https://redcanary.com/threat-detection-report/techniques/lsass-memory/>" %}

{% embed url="<https://blog.0x4.xyz/bypassing-windows-protection-mechanisms/bypass-asr-rule-and-dump-lsass>" %}

{% embed url="<https://attack.mitre.org/techniques/T1003/001/>" %}

{% embed url="<https://attack.mitre.org/techniques/T1055/012/>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pwn3dx.gitbook.io/lsass-dump/dumping-lsass-with-trusted-processes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.