Lsass — CraftedSignal Threat Feed

LSASS Credential Dumping via Windows Error Reporting (WER) Abuse

hello@craftedsignal.io — Fri, 26 Jan 2024 12:00:00 +0000

The LSASS Shtinkering attack involves abusing Windows Error Reporting (WER) to dump the memory of the LSASS process, which contains sensitive credentials. By enabling full user-mode dumps system-wide, attackers can fake a crash on LSASS, causing WER to generate a dump file. This setting is not enabled by default and requires modifying the registry. The DeepInstinct researchers publicized this attack at Defcon 30, demonstrating a method to access credentials without directly injecting malware into the LSASS process. This technique allows attackers to bypass traditional endpoint detection mechanisms that focus on malware signatures, making it a stealthy approach to credential theft. Defenders should monitor for registry modifications related to WER dump settings to detect and prevent this attack.

Attack Chain

The attacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.
The attacker modifies the registry key HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType to the value 2 or 0x00000002 to enable full user-mode dumps system-wide.
The attacker triggers a crash or fakes a crash of the LSASS process.
Windows Error Reporting (WER) generates a full user-mode dump file of the LSASS process.
The dump file is stored in the location specified in the registry, typically C:\ProgramData\Microsoft\Windows\WER\ReportQueue.
The attacker accesses the generated dump file.
The attacker extracts credentials from the LSASS dump file using tools like Mimikatz or custom scripts.
The attacker uses the stolen credentials to move laterally within the network or access sensitive resources.

Impact

Successful exploitation can lead to the compromise of domain credentials and other sensitive information stored in LSASS memory, such as NTLM hashes and Kerberos tickets. This can enable attackers to move laterally within the network, escalate privileges, and access critical systems and data. A single compromised system can lead to a widespread breach affecting numerous users and systems. The sectors most vulnerable are those handling sensitive data or critical infrastructure.

Recommendation

Deploy the Sigma rule “Full User-Mode Dumps Enabled System-Wide” to your SIEM to detect suspicious registry modifications related to Windows Error Reporting (WER).
Examine process execution logs to identify any suspicious processes that may have triggered the dump, especially those not matching the legitimate svchost.exe process with user IDs S-1-5-18, S-1-5-19, or S-1-5-20 as described in the rule’s investigation guide.
Monitor for access to WER dump files located in C:\ProgramData\Microsoft\Windows\WER\ReportQueue using file monitoring rules.
Review and update endpoint protection configurations to ensure they can detect and block credential dumping techniques as mentioned in the rule’s response and remediation steps.

Suspicious LSASS Access via Malicious Secondary Logon Service

hello@craftedsignal.io — Tue, 09 Jan 2024 12:00:00 +0000

This threat leverages the Windows Secondary Logon service (seclogon.dll) to gain unauthorized access to the Local Security Authority Subsystem Service (LSASS) process. The attack involves manipulating the seclogon service to leak an LSASS handle, which can then be used to extract credentials. This technique is often employed as a precursor to credential dumping and lateral movement within a compromised network. The detection focuses on identifying specific call traces to seclogon.dll coupled with suspicious access rights (0x14c0) when accessing LSASS, originating from svchost.exe. Defenders should monitor for this activity as it indicates a potential attempt to compromise sensitive credentials stored within LSASS memory.

Attack Chain

The attacker gains initial access to the system (e.g., via phishing or exploitation of a vulnerability).
The attacker executes code within the context of a user account.
The attacker leverages the Secondary Logon service (seclogon.dll) to request access to LSASS.
The malicious code interacts with the seclogon service to obtain a handle to the LSASS process with specific access rights (0x14c0), typically from a svchost.exe process.
The seclogon service, acting on behalf of the attacker, grants access to LSASS.
The attacker uses the leaked LSASS handle to read memory contents.
The attacker extracts sensitive information, such as user credentials (passwords, NTLM hashes, Kerberos tickets), from the LSASS memory.
The attacker uses the stolen credentials for lateral movement, privilege escalation, or data exfiltration.

Impact

Successful exploitation allows attackers to steal user credentials, leading to unauthorized access to sensitive systems and data. This can result in data breaches, financial losses, and reputational damage. The compromise of domain administrator credentials can grant the attacker complete control over the entire Windows domain.

Recommendation

Enable Sysmon process creation logging (event ID 1) and process access logging (event ID 10) to detect suspicious LSASS handle access.
Deploy the Sigma rule “Suspicious Lsass Handle Access via MalSecLogon” to your SIEM and tune for your environment.
Investigate any alerts generated by the Sigma rule, focusing on the call trace, access rights, and source process.
Monitor authentication events for signs of credential misuse following suspicious LSASS access.
Review local administrator and debug-privilege exposure, LSASS protection such as RunAsPPL or Credential Guard where supported, and Secondary Logon service necessity on critical servers
Block the GrantedAccess value “0x14c0” in conjunction with CallTrace “seclogon.dll” when the TargetImage is “lsass.exe” (Sysmon Event ID 10).

LSASS Process Access via Windows API

hello@craftedsignal.io — Tue, 09 Jan 2024 12:00:00 +0000

This rule identifies attempts to access the LSASS process via Windows API calls, specifically OpenProcess, OpenThread, and ReadProcessMemory. The Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Attackers often target LSASS to dump credentials from memory for lateral movement and privilege escalation. This detection focuses on identifying unusual processes attempting to access the LSASS process, excluding common legitimate applications and directories. The rule leverages data from Elastic Defend and Microsoft Defender XDR to identify suspicious activity and provide defenders with actionable alerts.

Attack Chain

An attacker gains initial access to the target system through various means.
The attacker attempts to escalate privileges to gain administrative rights.
The attacker uses a custom tool or script to call the OpenProcess, OpenThread or ReadProcessMemory Windows APIs.
The tool targets the lsass.exe process to obtain a handle for memory access.
The attacker uses the obtained handle to read LSASS memory, searching for credential data.
The attacker extracts usernames, passwords, and other sensitive information from the dumped memory.
The attacker uses the stolen credentials for lateral movement to other systems on the network.
The attacker achieves their final objective, which may include data exfiltration or system compromise.

Impact

Successful exploitation can lead to the compromise of domain credentials, allowing attackers to move laterally within the network and gain access to sensitive resources. This can result in data breaches, system compromise, and significant financial or reputational damage. The rule aims to detect these attacks early, limiting the scope of the potential compromise.

Recommendation

Deploy the Sigma rule “LSASS API Access by Non-Standard Process” to your SIEM and tune for your environment to detect suspicious access to the LSASS process.
Investigate any alerts triggered by this rule, focusing on the process execution chain and the access rights requested as documented in the provided Microsoft documentation.
Enable process creation and API call logging via Elastic Defend or Microsoft Defender XDR to provide the necessary data for this detection.
Review and harden LSASS protection mechanisms such as Credential Guard to minimize the risk of successful credential dumping.
Implement the Osquery queries to gather system information like DNS cache, services, and unsigned executables, to aid in investigation and threat hunting.

Potential LSASS Clone Creation via PssCaptureSnapShot

hello@craftedsignal.io — Tue, 09 Jan 2024 10:00:00 +0000

This detection identifies the creation of an LSASS process clone via PssCaptureSnapShot on Windows systems. The rule focuses on scenarios where the parent process of the new LSASS instance is also lsass.exe. This behavior is often associated with attackers attempting to bypass security controls and dump LSASS memory to extract credentials. The technique is used to evade detection mechanisms that monitor the primary LSASS process. Successful exploitation can lead to the compromise of domain or local credentials stored in memory, allowing for lateral movement and privilege escalation within the network. The detection is based on Windows Security Event Logs, specifically event code 4688, and is designed to identify this specific cloning behavior.

Attack Chain

The attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
The attacker executes code on the target system, potentially using tools like PowerShell or command-line utilities.
The attacker initiates a process to clone the LSASS process using PssCaptureSnapShot.
The newly created process, a clone of LSASS, runs alongside the original.
The attacker leverages the cloned LSASS process to dump its memory. This may involve tools like comsvcs.dll, rundll32.exe or custom scripts leveraging the MiniDumpWriteDump function.
The attacker extracts sensitive information from the dumped memory, including usernames, passwords, and Kerberos tickets.
The attacker uses the extracted credentials to move laterally within the network, accessing additional systems and resources.
The attacker achieves their final objective, such as data exfiltration or deploying ransomware.

Impact

Successful exploitation can result in the compromise of sensitive credentials stored in LSASS memory, including domain and local account credentials. This can lead to unauthorized access to critical systems and data, potentially resulting in data breaches, financial loss, and reputational damage. Domain controllers, jump hosts, and systems with privileged accounts are at especially high risk. The number of affected systems can range from a single machine to a large portion of the network, depending on the attacker’s objectives and the scope of the compromised credentials.

Recommendation

Enable and monitor Windows Security Event Logs with event code 4688 for process creation events, specifically focusing on the process and parent process names to identify LSASS cloning attempts (see rule below).
Deploy the provided Sigma rule to your SIEM to detect potential LSASS clone creation via PssCaptureSnapShot. Tune the rule for your environment to reduce false positives.
Investigate any alerts generated by the Sigma rule, focusing on identifying the processes involved in cloning and dumping LSASS memory.
Enable Audit Process Creation and Command Line logging as per the Elastic documentation to ensure the events used by the provided Sigma rules are captured.
If a LSASS clone is detected, review authentication events (4624, 4648, 4625) on the affected host to identify any suspicious logons or credential usage.
Monitor for file activity related to memory dumps (e.g., .dmp files) using the process clone to identify potential credential theft attempts.

Potential Credential Access via LSASS Handle Duplication

hello@craftedsignal.io — Wed, 03 Jan 2024 17:30:00 +0000

This detection identifies suspicious attempts to access the Local Security Authority Subsystem Service (LSASS) memory via the DuplicateHandle function on Windows systems. LSASS is a critical process that manages user credentials, making it a prime target for credential dumping attacks. Attackers may use DuplicateHandle to bypass the NtOpenProcess API, which is commonly monitored, to evade detection. The rule focuses on EventCode 10, looking for lsass.exe requesting DuplicateHandle access rights (0x40) where the call trace originates from an unknown executable region (UNKNOWN). This technique is often associated with tools like MirrorDump.

Attack Chain

An attacker gains initial access to the target system (e.g., via phishing or exploitation of a vulnerability).
The attacker executes a malicious program or script on the compromised system.
The malicious code attempts to open a handle to the LSASS process.
Instead of using NtOpenProcess, the attacker leverages the DuplicateHandle function to obtain a handle to LSASS.
The DuplicateHandle call originates from an unknown or suspicious module, as indicated by “UNKNOWN” in the call trace.
With a valid handle to LSASS, the attacker dumps the LSASS memory to a file or other location.
The attacker parses the dumped memory to extract sensitive credentials.
The attacker uses the stolen credentials for lateral movement, privilege escalation, or data exfiltration.

Impact

Successful exploitation could lead to the compromise of user credentials, including domain administrator accounts. This can give attackers unrestricted access to the entire domain, allowing them to steal sensitive data, install malware, or disrupt critical services. The impact can range from data breaches and financial loss to complete infrastructure compromise.

Recommendation

Enable Sysmon process creation and event 10 logging to capture the necessary telemetry for this detection. (Setup instructions: https://ela.st/sysmon-event-10-setup)
Deploy the Sigma rule “Potential Credential Access via DuplicateHandle in LSASS” to your SIEM and tune for your environment to reduce false positives.
Investigate any alerts generated by this rule by reviewing the event logs and call trace details to identify suspicious modules or processes.
Implement enhanced monitoring and logging for LSASS and related processes to detect any future attempts to exploit the DuplicateHandle function.

Suspicious LSASS Process Access

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

The Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for enforcing security policies and handling user authentication. Attackers often target LSASS to extract credentials, enabling unauthorized access and privilege escalation. This detection rule identifies suspicious access attempts to LSASS memory, which may indicate credential dumping activities. It filters out common legitimate processes and access patterns to highlight anomalous behaviors associated with credential theft. The rule is designed to detect unauthorized access attempts by monitoring process access events and filtering out known benign processes that interact with LSASS. It helps defenders identify potential credential access attempts before they lead to significant compromise.

Attack Chain

An attacker gains initial access to a system, possibly through phishing or exploitation of a vulnerability.
The attacker executes a malicious process or script on the compromised system.
The malicious process attempts to gain a handle to the LSASS process.
The attacker’s tool requests specific access rights to LSASS, such as ReadProcessMemory (0x0010) or PROCESS_QUERY_INFORMATION (0x0400), which are necessary for memory dumping.
The attacker’s process bypasses or disables endpoint detection and response (EDR) solutions to avoid detection.
The tool dumps the LSASS memory, extracting sensitive information like usernames, passwords, and Kerberos tickets.
The attacker uses the extracted credentials to move laterally within the network, accessing other systems and resources.
The attacker achieves their objective, such as data exfiltration or deployment of ransomware.

Impact

A successful LSASS memory dump can lead to the compromise of domain credentials, allowing attackers to move laterally within the network and gain access to sensitive data and systems. This can result in data breaches, financial loss, and reputational damage. Organizations across all sectors are vulnerable, particularly those with weak credential management practices. A single compromised account can lead to widespread damage, potentially affecting thousands of systems.

Recommendation

Enable Sysmon process access event logging (Event ID 10) as described in the setup instructions linked in the rule to collect the necessary data.
Deploy the Sigma rule “Suspicious Lsass Process Access” to your SIEM and tune the exclusions based on your environment to reduce false positives.
Review and harden privileged account management practices to limit the impact of credential compromise.
Monitor systems for unusual process creation events, especially those spawning from unexpected locations, to identify potential initial access points.
Regularly scan systems for vulnerabilities and apply patches to prevent exploitation.

LSASS Loading Suspicious DLL

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

The Local Security Authority Subsystem Service (LSASS) is a critical Windows component that manages security policies and user authentication. Attackers often target LSASS to dump credentials, using techniques like injecting malicious DLLs. This detection focuses on identifying instances where LSASS loads a DLL that is either unsigned or not signed by a trusted vendor. The rule excludes known legitimate signatures and file hashes to reduce false positives. This activity is a strong indicator of credential access attempts, potentially leading to further compromise of the system and network. The signatures identified in the rule contain well-known software vendors like Microsoft, McAfee and Citrix.

Attack Chain

An attacker gains initial access to the system through various means (e.g., phishing, exploiting a vulnerability).
The attacker elevates privileges to gain sufficient access to interact with the LSASS process.
The attacker drops a malicious DLL onto the system, often disguised as a legitimate file.
The attacker injects the malicious DLL into the LSASS process using techniques like Reflective DLL Injection.
LSASS loads the injected DLL, granting the attacker access to sensitive credentials stored in memory.
The malicious DLL dumps credentials, such as plaintext passwords or NTLM hashes.
The attacker uses the stolen credentials for lateral movement to other systems on the network.
The attacker achieves their final objective, such as data exfiltration or deploying ransomware.

Impact

Successful exploitation leads to credential compromise, allowing attackers to move laterally within the network, access sensitive data, and potentially achieve complete domain dominance. This can result in data breaches, financial losses, and reputational damage. The impact depends on the level of access associated with the compromised credentials.

Recommendation

Deploy the LSASS Loading Untrusted DLL Sigma rule to your SIEM to detect suspicious DLLs loaded by LSASS.
Investigate any alerts generated by the Sigma rule and review the loaded DLL’s code signature and hash.
Block the identified SHA256 hashes listed in the IOC table to prevent the execution of known malicious DLLs.
Implement application whitelisting to restrict which DLLs can be loaded into LSASS.
Enable Sysmon process creation and image load logging to provide the necessary data for detection.

LSASS Memory Dump Handle Access Detection

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

The Local Security Authority Subsystem Service (LSASS) is a critical Windows process responsible for enforcing security policy and handling user authentication. Attackers often target LSASS to steal credentials for lateral movement and privilege escalation. This detection identifies attempts to access LSASS memory using specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) that are commonly used by tools designed to dump LSASS memory. The rule is designed to be tool-agnostic, detecting the underlying behavior rather than specific tool signatures. It has been validated against various LSASS dumping tools, including SharpDump, Procdump, Mimikatz, and Comsvcs. The rule triggers on Windows systems where handle manipulation is enabled and generates security event logs.

Attack Chain

An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.
The attacker elevates privileges to an administrative account or SYSTEM, necessary for accessing LSASS memory.
The attacker executes a credential dumping tool, such as Mimikatz, SharpDump, or Procdump.
The tool attempts to open a handle to the LSASS process (lsass.exe) with a specific access mask (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) required for memory dumping.
Windows Security Event ID 4656 is generated, logging the handle request to the LSASS object.
The tool reads the memory contents of the LSASS process.
The dumped memory is parsed to extract sensitive information, such as passwords, NTLM hashes, and Kerberos tickets.
The attacker uses the stolen credentials to move laterally to other systems or access sensitive data.

Impact

Successful LSASS memory dumping allows attackers to steal user credentials, enabling lateral movement and privilege escalation within the network. This can lead to widespread compromise, data breaches, and significant disruption of services. Stolen credentials can be used to access sensitive data, control critical systems, and maintain a persistent presence within the environment.

Recommendation

Enable Audit Handle Manipulation to generate the necessary events for this rule to function, as described in the setup instructions.
Deploy the Sigma rule LSASS Memory Dump Handle Access to your SIEM and tune the exceptions based on your environment to minimize false positives.
Investigate any alerts generated by this rule, focusing on the process execution chain (parent process tree) to identify the source of the LSASS handle request.
Review the processes excluded in the rule (WmiPrvSE.exe, dllhost.exe, svchost.exe, msiexec.exe, explorer.exe) and ensure these exclusions are valid for your environment.
Implement strong password policies and multi-factor authentication to mitigate the impact of credential theft.

LSASS Memory Dump Creation Detection

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This detection rule identifies the creation of LSASS memory dump files on Windows systems, which is a common technique used by attackers to extract credentials. The rule focuses on specific filenames associated with LSASS dumps and tools used for creating these dumps, such as lsass*.dmp, dumpert.dmp, Andrew.dmp, SQLDmpr*.mdmp, and Coredump.dmp. The rule excludes known legitimate crash analysis paths and SQLDumper dump locations to reduce false positives. The rule aims to detect credential access attempts through trusted utilities such as Task Manager or SQLDumper, or known tooling such as Dumpert and AndrewSpecial. It is designed to work with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.

Attack Chain

An attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).
The attacker executes a tool or utility to create a memory dump of the LSASS process. This can be done using built-in tools like Task Manager or SQLDumper, or third-party tools like Dumpert or AndrewSpecial.
The tool writes the LSASS memory dump to a file with a name matching a known pattern, such as lsass.dmp, dumpert.dmp, or SQLDmpr0001.mdmp.
The file is created in a location that is not a known legitimate crash dump location (e.g., not in \Windows\System32\config\systemprofile\AppData\Local\CrashDumps\).
The attacker may move, copy, or archive the dump file to avoid detection or to prepare it for exfiltration.
The attacker uses another tool, such as Mimikatz, to parse the LSASS memory dump and extract credentials.
The attacker uses the extracted credentials to move laterally to other systems or to access sensitive data.
The final objective is often to gain domain administrator privileges or to exfiltrate sensitive data.

Impact

Successful exploitation and credential extraction can lead to complete domain compromise, unauthorized access to sensitive data, and significant financial or reputational damage. The impact is amplified if the compromised system is a domain controller, jump host, or privileged admin workstation. The rule is designed to detect the initial stage of credential access and prevent further damage.

Recommendation

Enable Sysmon FileCreate events (Event ID 11) to capture the creation of LSASS memory dump files.
Deploy the Sigma rule LSASS Memory Dump Creation to your SIEM to detect suspicious LSASS memory dump creation events and tune for your environment.
Investigate any alerts generated by the Sigma rule, focusing on the process executable, parent process, file path, and user context.
If a suspicious LSASS memory dump is found, isolate the affected host and begin credential hygiene for implicated accounts and systems.
Block known malicious tools like Dumpert and AndrewSpecial from running on your network.
Monitor for related credential-access, staging, privilege, or lateral-movement alerts for the same user or host.