https://feed.craftedsignal.io/products/windows-error-reporting/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 26 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-26-lsass-shtinkering/Fri, 26 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-26-lsass-shtinkering/Attackers can enable full user-mode dumps system-wide via registry modification to facilitate LSASS credential dumping, allowing extraction of credentials from process memory without deploying malware.The LSASS Shtinkering attack involves abusing Windows Error Reporting (WER) to dump the memory of the LSASS process, which contains sensitive credentials. By enabling full user-mode dumps system-wide, attackers can fake a crash on LSASS, causing WER to generate a dump file. This setting is not enabled by default and requires modifying the registry. The DeepInstinct researchers publicized this attack at Defcon 30, demonstrating a method to access credentials without directly injecting malware into the LSASS process. This technique allows attackers to bypass traditional endpoint detection mechanisms that focus on malware signatures, making it a stealthy approach to credential theft. Defenders should monitor for registry modifications related to WER dump settings to detect and prevent this attack.

Attack Chain

1. The attacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.
2. The attacker modifies the registry key HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType to the value 2 or 0x00000002 to enable full user-mode dumps system-wide.
3. The attacker triggers a crash or fakes a crash of the LSASS process.
4. Windows Error Reporting (WER) generates a full user-mode dump file of the LSASS process.
5. The dump file is stored in the location specified in the registry, typically C:\ProgramData\Microsoft\Windows\WER\ReportQueue.
6. The attacker accesses the generated dump file.
7. The attacker extracts credentials from the LSASS dump file using tools like Mimikatz or custom scripts.
8. The attacker uses the stolen credentials to move laterally within the network or access sensitive resources.

Impact

Successful exploitation can lead to the compromise of domain credentials and other sensitive information stored in LSASS memory, such as NTLM hashes and Kerberos tickets. This can enable attackers to move laterally within the network, escalate privileges, and access critical systems and data. A single compromised system can lead to a widespread breach affecting numerous users and systems. The sectors most vulnerable are those handling sensitive data or critical infrastructure.

Recommendation

• Deploy the Sigma rule “Full User-Mode Dumps Enabled System-Wide” to your SIEM to detect suspicious registry modifications related to Windows Error Reporting (WER).
• Examine process execution logs to identify any suspicious processes that may have triggered the dump, especially those not matching the legitimate svchost.exe process with user IDs S-1-5-18, S-1-5-19, or S-1-5-20 as described in the rule’s investigation guide.
• Monitor for access to WER dump files located in C:\ProgramData\Microsoft\Windows\WER\ReportQueue using file monitoring rules.
• Review and update endpoint protection configurations to ensure they can detect and block credential dumping techniques as mentioned in the rule’s response and remediation steps.

]]>mediumadvisorycredential-accesswindowslsasswepwhttps://feed.craftedsignal.io/briefs/2024-01-werfault-masquerading/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-werfault-masquerading/Adversaries may masquerade malicious processes as legitimate Windows Error Reporting processes (WerFault.exe or Wermgr.exe) to evade detection by establishing network connections without arguments, thus blending into normal system activity.Attackers may attempt to evade defenses by masquerading malicious processes as legitimate Windows Error Reporting (WER) executables, specifically WerFault.exe or Wermgr.exe. These executables are responsible for handling application crashes and reporting errors to Microsoft. This technique involves launching these executables without command-line arguments and then establishing outgoing network connections. By mimicking the behavior of legitimate WER processes, adversaries can potentially bypass detections that focus on suspicious child process activity or command-line arguments, effectively blending their malicious network activity with normal system operations. This technique has been observed in conjunction with malware campaigns, highlighting the importance of detecting deviations from the expected behavior of WER processes.

Attack Chain

1. An attacker gains initial access to the system through an unspecified method.
2. The attacker deploys a malicious payload onto the compromised system.
3. The attacker executes WerFault.exe or Wermgr.exe without any command-line arguments. This is an attempt to mimic legitimate WER process behavior.
4. The masquerading WER process initiates an outgoing network connection to a command-and-control (C2) server. The specific protocol used is not specified.
5. The C2 server issues commands to the compromised system through the masquerading WER process.
6. The attacker executes malicious commands on the system, potentially including data exfiltration, lateral movement, or further payload deployment.
7. The attacker attempts to maintain persistence on the compromised system, potentially through registry modifications or scheduled tasks.
8. The attacker achieves their final objective, such as data theft, system disruption, or establishing a foothold for future attacks.

Impact

A successful masquerading attack can lead to a prolonged period of undetected malicious activity. Victims may experience data breaches, system compromise, and potential financial losses. The targeted systems could be incorporated into a botnet, used for cryptocurrency mining, or further exploited for lateral movement within the network. The lack of command-line arguments makes detection more challenging, allowing attackers to operate with a lower risk of detection.

Recommendation

• Monitor process creation events for instances of WerFault.exe or Wermgr.exe executed with a single argument and an unusual command line, using the “Potential Windows Error Manager Masquerading” Sigma rule to detect such events.
• Investigate network connections originating from WerFault.exe or Wermgr.exe, especially when the process is launched without arguments.
• Enable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to provide the necessary data for the Sigma rule.
• Correlate process creation and network connection events to identify suspicious sequences, as outlined in the attack chain.
• Implement network segmentation to limit the potential impact of compromised systems and restrict lateral movement.

]]>mediumadvisorydefense-evasionmasqueradingwindows