Dissecting & Detecting Lsass Shtinkering

PreviousEDR Silencer - Embracing the Silence NextDetecting malicious OOB: Part -1: Hunting for OOB server - Interact.sh

Last updated 1 year ago

Was this helpful?

Dissecting & Detecting Lsass Shtinkering

There was a recent attack vector to dump credentials from LSASS.exe (ab)using Windows Error Reporting.

Link to Presentation:

Link to Video:

What?

We all know that once a user logins, the credentials are stored in the memory and to be specific, in LSASS's process memory. This memory was read and credential was stolen by tools like Mimikatz. More recently, newer techniques to dump the memory have emerged. Several techniques like procdump, task manager, comsvcs (using Minidump) are already present and are seen exploited in the wild.

This is a newer technique to create a dump of lsass.exe using Windows Error Reporting.

At the time of writing (December 2022), this technique is not detected by Multiple top security products. It's advisible to leverage the detections present in the detection section to protect your organisation.

How?

While the video is a supreme source of understanding how the entire process works, here's a quick summary of the same:

Whenever a process crashes, it can initiate a dump creation using WerFault.exe, an inbuilt utility in Windows. The command line for such a dumping event would be something like this: WeFault.exe -u -p <process_id>
However, to create LSASS's dump, either LSASS need to send a signal through LPC to Windows Error Reporting that there's a problem, create a dump or a malicious process can do that abusing the functionality in Windows Error Reporting through LPC.
The author of the presentation has exactly done the second one where he successfully created a POC which would send an LPC to Windows Error Reporting to create a dump of Lsass.exe.

Pre-requisites for the attack:

Privileged User (NT AUTHORITY\SYSTEM)
If you have an administrative access, you can get it using the following command

PsExec.exe -i -s cmd.exe

The user mode dumping has be enabled by creating a registry key at HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDump; Key: DumpType and Value: 2 [DWORD]; The same can be done using the command:

reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpType /d 2

The Exploit:

Compile source code
Create a command prompt with NT AUTHORITY\SYSTEM and run the executable

How to detect?

Here's how the attack is logged on my detection lab.

When observed carefully, the following things stood out:

Registry value is created
- Can be detected using Sysmon (Registry Event) or EDR's telemetry or Windows Security Process Command Line (if Command line logging is enabled)
Malicious process spawns WerFault.exe with the parameters -u -p <lsass_process_id> -ip <malicious_process_id> -s 244 (unknown)
- Can be detected by monitoring Process Events through Windows Security log or Sysmon or EDR Telemetry
A dump file is created at C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\
- Can be detected using File Write events either through Sysmon or EDR Telemetry

For detecting the registry key "DumpType" 's value to 2, here's a Microsoft Defender for Endpoint (MDE) query:

lsass_shtinkering_reg.kql

DeviceRegistryEvents | where (ActionType == "RegistryValueSet" and RegistryKey == "\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType" or RegistryKey == "\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType" and ActionType == "SetValue")

For detecting the Windows Error Reporting being triggered to dump lsass.exe, here's an MDE query:

lsass_shtinkering_proc.kql

DeviceProcessEvents 
| where ((((FolderPath endswith @'\Werfault.exe') or (InitiatingProcessVersionInfoOriginalFileName =~ @'WerFault.exe') or (ProcessVersionInfoOriginalFileName =~ @'WerFault.exe')) and ((ParentUser contains @'AUTHORI' or ParentUser contains @'AUTORI') and (((AccountUpn contains @'AUTHORI' or AccountUpn contains @'AUTORI')) or ((AccountName contains @'AUTHORI' or AccountName contains @'AUTORI'))) and (ProcessCommandLine contains @' -u -p ' and ProcessCommandLine contains @' -ip ' and ProcessCommandLine contains @' -s '))) and ((InitiatingProcessFolderPath !~ @'C:\Windows\System32\lsass.exe')))

For detecting the lsass.dmp being created, here's an MDE query:

lsass_shtinkering_file.kql

DeviceFileEvents 
| where (FolderPath startswith @'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\' and FolderPath contains @'lsass.exe.' and FolderPath endswith @'.dmp')

PreviousEDR Silencer - Embracing the Silence NextDetecting malicious OOB: Part -1: Hunting for OOB server - Interact.sh

Last updated 1 year ago

Was this helpful?

There was a recent attack vector to dump credentials from LSASS.exe (ab)using Windows Error Reporting.

Link to Presentation:

Link to Video:

What?

This is a newer technique to create a dump of lsass.exe using Windows Error Reporting.

How?

While the video is a supreme source of understanding how the entire process works, here's a quick summary of the same:

Whenever a process crashes, it can initiate a dump creation using WerFault.exe, an inbuilt utility in Windows. The command line for such a dumping event would be something like this: WeFault.exe -u -p <process_id>
However, to create LSASS's dump, either LSASS need to send a signal through LPC to Windows Error Reporting that there's a problem, create a dump or a malicious process can do that abusing the functionality in Windows Error Reporting through LPC.
The author of the presentation has exactly done the second one where he successfully created a POC which would send an LPC to Windows Error Reporting to create a dump of Lsass.exe.

Pre-requisites for the attack:

Privileged User (NT AUTHORITY\SYSTEM)
If you have an administrative access, you can get it using the following command

PsExec.exe -i -s cmd.exe

The user mode dumping has be enabled by creating a registry key at HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDump; Key: DumpType and Value: 2 [DWORD]; The same can be done using the command:

reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpType /d 2

The Exploit:

Download the source code:
Compile source code
Create a command prompt with NT AUTHORITY\SYSTEM and run the executable

How to detect?

Here's how the attack is logged on my detection lab.

When observed carefully, the following things stood out:

Registry value is created
- Can be detected using Sysmon (Registry Event) or EDR's telemetry or Windows Security Process Command Line (if Command line logging is enabled)
Malicious process spawns WerFault.exe with the parameters -u -p <lsass_process_id> -ip <malicious_process_id> -s 244 (unknown)
- Can be detected by monitoring Process Events through Windows Security log or Sysmon or EDR Telemetry
A dump file is created at C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\
- Can be detected using File Write events either through Sysmon or EDR Telemetry

For detecting the registry key "DumpType" 's value to 2, here's a Microsoft Defender for Endpoint (MDE) query:

lsass_shtinkering_reg.kql

DeviceRegistryEvents | where (ActionType == "RegistryValueSet" and RegistryKey == "\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType" or RegistryKey == "\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType" and ActionType == "SetValue")

For detecting the Windows Error Reporting being triggered to dump lsass.exe, here's an MDE query:

lsass_shtinkering_proc.kql

DeviceProcessEvents 
| where ((((FolderPath endswith @'\Werfault.exe') or (InitiatingProcessVersionInfoOriginalFileName =~ @'WerFault.exe') or (ProcessVersionInfoOriginalFileName =~ @'WerFault.exe')) and ((ParentUser contains @'AUTHORI' or ParentUser contains @'AUTORI') and (((AccountUpn contains @'AUTHORI' or AccountUpn contains @'AUTORI')) or ((AccountName contains @'AUTHORI' or AccountName contains @'AUTORI'))) and (ProcessCommandLine contains @' -u -p ' and ProcessCommandLine contains @' -ip ' and ProcessCommandLine contains @' -s '))) and ((InitiatingProcessFolderPath !~ @'C:\Windows\System32\lsass.exe')))

For detecting the lsass.dmp being created, here's an MDE query:

lsass_shtinkering_file.kql

DeviceFileEvents 
| where (FolderPath startswith @'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\' and FolderPath contains @'lsass.exe.' and FolderPath endswith @'.dmp')

For the generic sigma signature (for converting this into any format you'd like, check this: