Dissecting & Detecting Lsass Shtinkering
There was a recent attack vector to dump credentials from LSASS.exe (ab)using Windows Error Reporting.
Link to Presentation: DefCon Media Presentation
Link to Video: Abusing Windows Error Reporting to dump LSASS
What?
We all know that once a user logins, the credentials are stored in the memory and to be specific, in LSASS's process memory. This memory was read and credential was stolen by tools like Mimikatz. More recently, newer techniques to dump the memory have emerged. Several techniques like procdump, task manager, comsvcs (using Minidump) are already present and are seen exploited in the wild.
This is a newer technique to create a dump of lsass.exe using Windows Error Reporting.
At the time of writing (December 2022), this technique is not detected by Multiple top security products. It's advisible to leverage the detections present in the detection section to protect your organisation.
How?
While the video is a supreme source of understanding how the entire process works, here's a quick summary of the same:
Whenever a process crashes, it can initiate a dump creation using
WerFault.exe, an inbuilt utility in Windows. The command line for such a dumping event would be something like this:WeFault.exe -u -p <process_id>However, to create LSASS's dump, either LSASS need to send a signal through LPC to Windows Error Reporting that there's a problem, create a dump or a malicious process can do that abusing the functionality in Windows Error Reporting through LPC.
The author of the presentation has exactly done the second one where he successfully created a POC which would send an LPC to Windows Error Reporting to create a dump of Lsass.exe.
Pre-requisites for the attack:
Privileged User (NT AUTHORITY\SYSTEM)
If you have an administrative access, you can get it using the following command
The user mode dumping has be enabled by creating a registry key at
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDump; Key: DumpType and Value: 2 [DWORD]; The same can be done using the command:
The Exploit:
Download the source code: https://github.com/deepinstinct/Lsass-Shtinkering
Compile source code
Create a command prompt with NT AUTHORITY\SYSTEM and run the executable
How to detect?
Here's how the attack is logged on my detection lab.
When observed carefully, the following things stood out:
Registry value is created
Can be detected using Sysmon (Registry Event) or EDR's telemetry or Windows Security Process Command Line (if Command line logging is enabled)
Malicious process spawns
WerFault.exewith the parameters-u -p <lsass_process_id> -ip <malicious_process_id> -s 244 (unknown)Can be detected by monitoring Process Events through Windows Security log or Sysmon or EDR Telemetry
A dump file is created at
C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\Can be detected using File Write events either through Sysmon or EDR Telemetry
For detecting the registry key "DumpType" 's value to 2, here's a Microsoft Defender for Endpoint (MDE) query:
For detecting the Windows Error Reporting being triggered to dump lsass.exe, here's an MDE query:
For detecting the lsass.dmp being created, here's an MDE query:
For the generic sigma signature (for converting this into any format you'd like, check this: https://github.com/SigmaHQ/sigma/pull/3764/files
Last updated
