Skip to content
Threat Feed
medium advisory

LSASS Shtinkering Detection via Full User-Mode Dump Configuration

Detection of the enabling of full user-mode dumps system-wide, a setting change leveraged in LSASS Shtinkering attacks to dump LSASS process memory and steal credentials.

This threat brief focuses on detecting a specific configuration change that facilitates the LSASS Shtinkering attack. LSASS Shtinkering is a credential access technique where attackers abuse the Windows Error Reporting (WER) functionality to create a memory dump of the LSASS process, which contains sensitive credentials. This attack avoids directly injecting malware into LSASS. The specific configuration change involves enabling full user-mode dumps system-wide, which is not enabled by default. Applications must create their own registry subkeys to collect dumps but system wide enabling will affect LSASS too. This setting can be modified via the registry, making it detectable through registry monitoring.

Attack Chain

  1. The attacker gains initial access to the target system, potentially through methods unrelated to the LSASS Shtinkering technique itself (e.g., phishing, compromised credentials).
  2. The attacker modifies the registry to enable full user-mode dumps system-wide by setting the DumpType value under HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps to "2" or "0x00000002".
  3. The attacker triggers a crash or forces a dump of the LSASS process, either directly or by manipulating a dependent service or application.
  4. Windows Error Reporting generates a dump file of the LSASS process memory in the location specified under the LocalDumps registry key.
  5. The attacker accesses the generated LSASS dump file.
  6. The attacker extracts credentials from the LSASS dump file using tools or techniques designed for this purpose.
  7. The attacker uses the extracted credentials for lateral movement, privilege escalation, or other malicious activities within the compromised environment.

Impact

Successful exploitation via LSASS Shtinkering allows attackers to steal credentials stored in LSASS memory, including domain administrator accounts. This can lead to widespread compromise of the targeted network, enabling data exfiltration, ransomware deployment, or other high-impact outcomes. The primary impact is unauthorized access to sensitive resources and systems due to credential theft.

Recommendation

  • Deploy the Sigma rule Full User-Mode Dumps Enabled System-Wide to detect the enabling of full user-mode dumps via registry modification.
  • Enable Sysmon registry event logging to capture the necessary registry modifications.
  • Review and restrict permissions on the HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps registry key to prevent unauthorized modifications (reference: MITRE T1112).
  • Investigate any alerts generated by the Sigma rule by examining the process responsible for the registry change and correlating with other security events.

Detection coverage 2

Full User-Mode Dumps Enabled System-Wide

medium

Detects modification of the registry to enable full user-mode dumps, excluding standard svchost.exe activity.

sigma tactics: credential_access, defense_evasion techniques: T1003.001, T1112 sources: registry_set, windows

Full User-Mode Dumps Enabled System-Wide - No svchost filter

medium

Detects modification of the registry to enable full user-mode dumps without filtering for svchost process.

sigma tactics: credential_access, defense_evasion techniques: T1003.001, T1112 sources: registry_set, windows

Detection queries are available on the platform. Get full rules →