LSASS Shtinkering Detection via Full User-Mode Dump Configuration
Detection of the enabling of full user-mode dumps system-wide, a setting change leveraged in LSASS Shtinkering attacks to dump LSASS process memory and steal credentials.
This threat brief focuses on detecting a specific configuration change that facilitates the LSASS Shtinkering attack. LSASS Shtinkering is a credential access technique where attackers abuse the Windows Error Reporting (WER) functionality to create a memory dump of the LSASS process, which contains sensitive credentials. This attack avoids directly injecting malware into LSASS. The specific configuration change involves enabling full user-mode dumps system-wide, which is not enabled by default. Applications must create their own registry subkeys to collect dumps but system wide enabling will affect LSASS too. This setting can be modified via the registry, making it detectable through registry monitoring.
Attack Chain
- The attacker gains initial access to the target system, potentially through methods unrelated to the LSASS Shtinkering technique itself (e.g., phishing, compromised credentials).
- The attacker modifies the registry to enable full user-mode dumps system-wide by setting the
DumpTypevalue underHKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumpsto "2" or "0x00000002". - The attacker triggers a crash or forces a dump of the LSASS process, either directly or by manipulating a dependent service or application.
- Windows Error Reporting generates a dump file of the LSASS process memory in the location specified under the
LocalDumpsregistry key. - The attacker accesses the generated LSASS dump file.
- The attacker extracts credentials from the LSASS dump file using tools or techniques designed for this purpose.
- The attacker uses the extracted credentials for lateral movement, privilege escalation, or other malicious activities within the compromised environment.
Impact
Successful exploitation via LSASS Shtinkering allows attackers to steal credentials stored in LSASS memory, including domain administrator accounts. This can lead to widespread compromise of the targeted network, enabling data exfiltration, ransomware deployment, or other high-impact outcomes. The primary impact is unauthorized access to sensitive resources and systems due to credential theft.
Recommendation
- Deploy the Sigma rule
Full User-Mode Dumps Enabled System-Wideto detect the enabling of full user-mode dumps via registry modification. - Enable Sysmon registry event logging to capture the necessary registry modifications.
- Review and restrict permissions on the
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumpsregistry key to prevent unauthorized modifications (reference: MITRE T1112). - Investigate any alerts generated by the Sigma rule by examining the process responsible for the registry change and correlating with other security events.
Detection coverage 2
Full User-Mode Dumps Enabled System-Wide
mediumDetects modification of the registry to enable full user-mode dumps, excluding standard svchost.exe activity.
Full User-Mode Dumps Enabled System-Wide - No svchost filter
mediumDetects modification of the registry to enable full user-mode dumps without filtering for svchost process.
Detection queries are available on the platform. Get full rules →