MemProcFS Usage for Memory Dump Mounting and Credential Access

hello@craftedsignal.io — Sat, 02 Nov 2024 12:00:00 +0000

MemProcFS is a memory forensics tool that allows users to mount physical memory as a virtual file system. While legitimate uses exist for forensic analysis, adversaries are abusing it to gain unauthorized access to sensitive information. Observed tactics involve mounting memory dumps of compromised systems and extracting credentials, LSA secrets, SAM data, and cached domain credentials. This activity is particularly concerning as it allows threat actors to bypass traditional security measures and directly access sensitive data within the memory space of targeted processes. Unapproved usage of MemProcFS should be considered suspicious and investigated immediately to prevent credential theft and lateral movement.

Attack Chain

The attacker gains initial access to a system through unspecified means (e.g., exploiting a vulnerability or using stolen credentials).
The attacker obtains a memory dump of the compromised system, which may contain sensitive information.
The attacker executes MemProcFS.exe with the -device parameter to mount the memory dump as a virtual file system.
MemProcFS creates a virtual file system representation of the memory dump, allowing the attacker to browse the memory space as files and directories.
The attacker accesses the memory of the LSASS process (lsass.exe) through the mounted file system.
The attacker extracts credentials, such as usernames and passwords, from the LSASS process memory.
The attacker may also access registry hives through the mounted file system to obtain LSA secrets, SAM data, and cached domain credentials.
The attacker uses the stolen credentials for lateral movement, privilege escalation, or data exfiltration.

Impact

Successful exploitation allows threat actors to steal sensitive information, including credentials, LSA secrets, SAM data, and cached domain credentials. Compromised credentials can be used for lateral movement within the network, privilege escalation, and further data breaches. The number of potential victims is unknown, but the severity of the impact is high due to the potential for widespread compromise. Sectors at risk include any organization that stores sensitive data on Windows systems.

Recommendation

Deploy the Sigma rule “Detect MemProcFS Execution with Device Parameter” to your SIEM to identify suspicious use of MemProcFS based on process creation events.
Enable Sysmon process creation logging to provide the necessary data for the Sigma rules above.
Monitor for unusual file system access patterns that may indicate a memory dump being mounted as a virtual file system.

LSASS Memory Dump Handle Access Detection

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

The Local Security Authority Subsystem Service (LSASS) is a critical Windows process responsible for enforcing security policy and handling user authentication. Attackers often target LSASS to steal credentials for lateral movement and privilege escalation. This detection identifies attempts to access LSASS memory using specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) that are commonly used by tools designed to dump LSASS memory. The rule is designed to be tool-agnostic, detecting the underlying behavior rather than specific tool signatures. It has been validated against various LSASS dumping tools, including SharpDump, Procdump, Mimikatz, and Comsvcs. The rule triggers on Windows systems where handle manipulation is enabled and generates security event logs.

Attack Chain

An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.
The attacker elevates privileges to an administrative account or SYSTEM, necessary for accessing LSASS memory.
The attacker executes a credential dumping tool, such as Mimikatz, SharpDump, or Procdump.
The tool attempts to open a handle to the LSASS process (lsass.exe) with a specific access mask (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) required for memory dumping.
Windows Security Event ID 4656 is generated, logging the handle request to the LSASS object.
The tool reads the memory contents of the LSASS process.
The dumped memory is parsed to extract sensitive information, such as passwords, NTLM hashes, and Kerberos tickets.
The attacker uses the stolen credentials to move laterally to other systems or access sensitive data.

Impact

Successful LSASS memory dumping allows attackers to steal user credentials, enabling lateral movement and privilege escalation within the network. This can lead to widespread compromise, data breaches, and significant disruption of services. Stolen credentials can be used to access sensitive data, control critical systems, and maintain a persistent presence within the environment.

Recommendation

Enable Audit Handle Manipulation to generate the necessary events for this rule to function, as described in the setup instructions.
Deploy the Sigma rule LSASS Memory Dump Handle Access to your SIEM and tune the exceptions based on your environment to minimize false positives.
Investigate any alerts generated by this rule, focusing on the process execution chain (parent process tree) to identify the source of the LSASS handle request.
Review the processes excluded in the rule (WmiPrvSE.exe, dllhost.exe, svchost.exe, msiexec.exe, explorer.exe) and ensure these exclusions are valid for your environment.
Implement strong password policies and multi-factor authentication to mitigate the impact of credential theft.

Memory-Dump — CraftedSignal Threat Feed

MemProcFS Usage for Memory Dump Mounting and Credential Access

Attack Chain

Impact

Recommendation

LSASS Memory Dump Handle Access Detection

Attack Chain

Impact

Recommendation