{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-error-reporting/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Windows Error Reporting"],"_cs_severities":["medium"],"_cs_tags":["credential-access","windows","lsass","wepw"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe LSASS Shtinkering attack involves abusing Windows Error Reporting (WER) to dump the memory of the LSASS process, which contains sensitive credentials. By enabling full user-mode dumps system-wide, attackers can fake a crash on LSASS, causing WER to generate a dump file. This setting is not enabled by default and requires modifying the registry. The DeepInstinct researchers publicized this attack at Defcon 30, demonstrating a method to access credentials without directly injecting malware into the LSASS process. This technique allows attackers to bypass traditional endpoint detection mechanisms that focus on malware signatures, making it a stealthy approach to credential theft. Defenders should monitor for registry modifications related to WER dump settings to detect and prevent this attack.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType\u003c/code\u003e to the value \u003ccode\u003e2\u003c/code\u003e or \u003ccode\u003e0x00000002\u003c/code\u003e to enable full user-mode dumps system-wide.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a crash or fakes a crash of the LSASS process.\u003c/li\u003e\n\u003cli\u003eWindows Error Reporting (WER) generates a full user-mode dump file of the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe dump file is stored in the location specified in the registry, typically \u003ccode\u003eC:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the generated dump file.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credentials from the LSASS dump file using tools like Mimikatz or custom scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to move laterally within the network or access sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of domain credentials and other sensitive information stored in LSASS memory, such as NTLM hashes and Kerberos tickets. This can enable attackers to move laterally within the network, escalate privileges, and access critical systems and data. A single compromised system can lead to a widespread breach affecting numerous users and systems. The sectors most vulnerable are those handling sensitive data or critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Full User-Mode Dumps Enabled System-Wide\u0026rdquo; to your SIEM to detect suspicious registry modifications related to Windows Error Reporting (WER).\u003c/li\u003e\n\u003cli\u003eExamine process execution logs to identify any suspicious processes that may have triggered the dump, especially those not matching the legitimate \u003ccode\u003esvchost.exe\u003c/code\u003e process with user IDs \u003ccode\u003eS-1-5-18\u003c/code\u003e, \u003ccode\u003eS-1-5-19\u003c/code\u003e, or \u003ccode\u003eS-1-5-20\u003c/code\u003e as described in the rule\u0026rsquo;s investigation guide.\u003c/li\u003e\n\u003cli\u003eMonitor for access to WER dump files located in \u003ccode\u003eC:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\u003c/code\u003e using file monitoring rules.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint protection configurations to ensure they can detect and block credential dumping techniques as mentioned in the rule\u0026rsquo;s response and remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-lsass-shtinkering/","summary":"Attackers can enable full user-mode dumps system-wide via registry modification to facilitate LSASS credential dumping, allowing extraction of credentials from process memory without deploying malware.","title":"LSASS Credential Dumping via Windows Error Reporting (WER) Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-26-lsass-shtinkering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Error Reporting"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to evade defenses by masquerading malicious processes as legitimate Windows Error Reporting (WER) executables, specifically \u003ccode\u003eWerFault.exe\u003c/code\u003e or \u003ccode\u003eWermgr.exe\u003c/code\u003e. These executables are responsible for handling application crashes and reporting errors to Microsoft. This technique involves launching these executables without command-line arguments and then establishing outgoing network connections. By mimicking the behavior of legitimate WER processes, adversaries can potentially bypass detections that focus on suspicious child process activity or command-line arguments, effectively blending their malicious network activity with normal system operations. This technique has been observed in conjunction with malware campaigns, highlighting the importance of detecting deviations from the expected behavior of WER processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unspecified method.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a malicious payload onto the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eWerFault.exe\u003c/code\u003e or \u003ccode\u003eWermgr.exe\u003c/code\u003e without any command-line arguments. This is an attempt to mimic legitimate WER process behavior.\u003c/li\u003e\n\u003cli\u003eThe masquerading WER process initiates an outgoing network connection to a command-and-control (C2) server. The specific protocol used is not specified.\u003c/li\u003e\n\u003cli\u003eThe C2 server issues commands to the compromised system through the masquerading WER process.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands on the system, potentially including data exfiltration, lateral movement, or further payload deployment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence on the compromised system, potentially through registry modifications or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system disruption, or establishing a foothold for future attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful masquerading attack can lead to a prolonged period of undetected malicious activity. Victims may experience data breaches, system compromise, and potential financial losses. The targeted systems could be incorporated into a botnet, used for cryptocurrency mining, or further exploited for lateral movement within the network. The lack of command-line arguments makes detection more challenging, allowing attackers to operate with a lower risk of detection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for instances of \u003ccode\u003eWerFault.exe\u003c/code\u003e or \u003ccode\u003eWermgr.exe\u003c/code\u003e executed with a single argument and an unusual command line, using the \u0026ldquo;Potential Windows Error Manager Masquerading\u0026rdquo; Sigma rule to detect such events.\u003c/li\u003e\n\u003cli\u003eInvestigate network connections originating from \u003ccode\u003eWerFault.exe\u003c/code\u003e or \u003ccode\u003eWermgr.exe\u003c/code\u003e, especially when the process is launched without arguments.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eCorrelate process creation and network connection events to identify suspicious sequences, as outlined in the attack chain.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of compromised systems and restrict lateral movement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-werfault-masquerading/","summary":"Adversaries may masquerade malicious processes as legitimate Windows Error Reporting processes (WerFault.exe or Wermgr.exe) to evade detection by establishing network connections without arguments, thus blending into normal system activity.","title":"Potential Windows Error Manager Masquerading","url":"https://feed.craftedsignal.io/briefs/2024-01-werfault-masquerading/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Error Reporting","version":"https://jsonfeed.org/version/1.1"}