🙄
p1k4chu@p1k4chu-host
  • About Me
  • Tools
    • Defensive Tools
      • H0neyTr4p
    • Offensive Tools
      • Ransomware Simulator - PyRan
  • Security Research
    • AI Security Research
      • Attacking using (and defending against) Input manipulation attacks against AI
      • (Ab)using AI to attack M365 and other services to conduct plethora of attacks
    • Cloud Security Research
      • Azure Storage Account Security - Attack & Defend: Part 1
      • Attack and Defend Azure Serial Console - Part 1
      • Azure Serial Console Attack and Defense - Part 2
    • Adversarial Tradecraft Research & Detection
      • RDP Exfil - The technique that works almost every time
      • Smishing Traid targets India with large scale "India Post" themed iMessage phish texts
      • Quick Assist: Friend or Foe? How adversaries can exploit this tool and how can you defend?
      • EDR Silencer - Embracing the Silence
      • Dissecting & Detecting Lsass Shtinkering
      • Detecting malicious OOB: Part -1: Hunting for OOB server - Interact.sh
      • Abusing Windows VPN for EXFIL
      • Analyzing Nobelium's HTML Dropper - EnvyScout
    • Web & Mobile App Sec
      • [CVE-2015-2300] ENL-Newsletter CSRF Full Disclosure
      • Yandex Mobile App vulnerable to Insecure Data storage
      • Bug on paypal worth 1000$
      • Session fixation bug on coinbase.
      • CyanogenMod (In)Secure Folder Lock !
  • Security Talk
    • Review of CRTP - Pentester Academy
    • Review of Hacking and Securing Kubernetes
Powered by GitBook
On this page
  • What?
  • How?
  • Pre-requisites for the attack:
  • The Exploit:
  • How to detect?

Was this helpful?

  1. Security Research
  2. Adversarial Tradecraft Research & Detection

Dissecting & Detecting Lsass Shtinkering

There was a recent attack vector to dump credentials from LSASS.exe (ab)using Windows Error Reporting.

Link to Presentation: DefCon Media Presentation

Link to Video: Abusing Windows Error Reporting to dump LSASS

What?

We all know that once a user logins, the credentials are stored in the memory and to be specific, in LSASS's process memory. This memory was read and credential was stolen by tools like Mimikatz. More recently, newer techniques to dump the memory have emerged. Several techniques like procdump, task manager, comsvcs (using Minidump) are already present and are seen exploited in the wild.

This is a newer technique to create a dump of lsass.exe using Windows Error Reporting.

At the time of writing (December 2022), this technique is not detected by Multiple top security products. It's advisible to leverage the detections present in the detection section to protect your organisation.

How?

While the video is a supreme source of understanding how the entire process works, here's a quick summary of the same:

  • Whenever a process crashes, it can initiate a dump creation using WerFault.exe, an inbuilt utility in Windows. The command line for such a dumping event would be something like this: WeFault.exe -u -p <process_id>

  • However, to create LSASS's dump, either LSASS need to send a signal through LPC to Windows Error Reporting that there's a problem, create a dump or a malicious process can do that abusing the functionality in Windows Error Reporting through LPC.

  • The author of the presentation has exactly done the second one where he successfully created a POC which would send an LPC to Windows Error Reporting to create a dump of Lsass.exe.

Pre-requisites for the attack:

  • Privileged User (NT AUTHORITY\SYSTEM)

    If you have an administrative access, you can get it using the following command

PsExec.exe -i -s cmd.exe
  • The user mode dumping has be enabled by creating a registry key at HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDump; Key: DumpType and Value: 2 [DWORD]; The same can be done using the command:

reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpType /d 2

The Exploit:

  • Download the source code: https://github.com/deepinstinct/Lsass-Shtinkering

  • Compile source code

  • Create a command prompt with NT AUTHORITY\SYSTEM and run the executable

How to detect?

Here's how the attack is logged on my detection lab.

When observed carefully, the following things stood out:

  • Registry value is created

    • Can be detected using Sysmon (Registry Event) or EDR's telemetry or Windows Security Process Command Line (if Command line logging is enabled)

  • Malicious process spawns WerFault.exe with the parameters -u -p <lsass_process_id> -ip <malicious_process_id> -s 244 (unknown)

    • Can be detected by monitoring Process Events through Windows Security log or Sysmon or EDR Telemetry

  • A dump file is created at C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\

    • Can be detected using File Write events either through Sysmon or EDR Telemetry

For detecting the registry key "DumpType" 's value to 2, here's a Microsoft Defender for Endpoint (MDE) query:

lsass_shtinkering_reg.kql
DeviceRegistryEvents | where (ActionType == "RegistryValueSet" and RegistryKey == "\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType" or RegistryKey == "\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType" and ActionType == "SetValue")

For detecting the Windows Error Reporting being triggered to dump lsass.exe, here's an MDE query:

lsass_shtinkering_proc.kql
DeviceProcessEvents 
| where ((((FolderPath endswith @'\Werfault.exe') or (InitiatingProcessVersionInfoOriginalFileName =~ @'WerFault.exe') or (ProcessVersionInfoOriginalFileName =~ @'WerFault.exe')) and ((ParentUser contains @'AUTHORI' or ParentUser contains @'AUTORI') and (((AccountUpn contains @'AUTHORI' or AccountUpn contains @'AUTORI')) or ((AccountName contains @'AUTHORI' or AccountName contains @'AUTORI'))) and (ProcessCommandLine contains @' -u -p ' and ProcessCommandLine contains @' -ip ' and ProcessCommandLine contains @' -s '))) and ((InitiatingProcessFolderPath !~ @'C:\Windows\System32\lsass.exe')))

For detecting the lsass.dmp being created, here's an MDE query:

lsass_shtinkering_file.kql
DeviceFileEvents 
| where (FolderPath startswith @'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\' and FolderPath contains @'lsass.exe.' and FolderPath endswith @'.dmp')

For the generic sigma signature (for converting this into any format you'd like, check this: https://github.com/SigmaHQ/sigma/pull/3764/files

PreviousEDR Silencer - Embracing the SilenceNextDetecting malicious OOB: Part -1: Hunting for OOB server - Interact.sh

Last updated 1 year ago

Was this helpful?

Simulation of LSASS Shtinkering