{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wepw/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Windows Error Reporting"],"_cs_severities":["medium"],"_cs_tags":["credential-access","windows","lsass","wepw"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe LSASS Shtinkering attack involves abusing Windows Error Reporting (WER) to dump the memory of the LSASS process, which contains sensitive credentials. By enabling full user-mode dumps system-wide, attackers can fake a crash on LSASS, causing WER to generate a dump file. This setting is not enabled by default and requires modifying the registry. The DeepInstinct researchers publicized this attack at Defcon 30, demonstrating a method to access credentials without directly injecting malware into the LSASS process. This technique allows attackers to bypass traditional endpoint detection mechanisms that focus on malware signatures, making it a stealthy approach to credential theft. Defenders should monitor for registry modifications related to WER dump settings to detect and prevent this attack.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType\u003c/code\u003e to the value \u003ccode\u003e2\u003c/code\u003e or \u003ccode\u003e0x00000002\u003c/code\u003e to enable full user-mode dumps system-wide.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a crash or fakes a crash of the LSASS process.\u003c/li\u003e\n\u003cli\u003eWindows Error Reporting (WER) generates a full user-mode dump file of the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe dump file is stored in the location specified in the registry, typically \u003ccode\u003eC:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the generated dump file.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credentials from the LSASS dump file using tools like Mimikatz or custom scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to move laterally within the network or access sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of domain credentials and other sensitive information stored in LSASS memory, such as NTLM hashes and Kerberos tickets. This can enable attackers to move laterally within the network, escalate privileges, and access critical systems and data. A single compromised system can lead to a widespread breach affecting numerous users and systems. The sectors most vulnerable are those handling sensitive data or critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Full User-Mode Dumps Enabled System-Wide\u0026rdquo; to your SIEM to detect suspicious registry modifications related to Windows Error Reporting (WER).\u003c/li\u003e\n\u003cli\u003eExamine process execution logs to identify any suspicious processes that may have triggered the dump, especially those not matching the legitimate \u003ccode\u003esvchost.exe\u003c/code\u003e process with user IDs \u003ccode\u003eS-1-5-18\u003c/code\u003e, \u003ccode\u003eS-1-5-19\u003c/code\u003e, or \u003ccode\u003eS-1-5-20\u003c/code\u003e as described in the rule\u0026rsquo;s investigation guide.\u003c/li\u003e\n\u003cli\u003eMonitor for access to WER dump files located in \u003ccode\u003eC:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\u003c/code\u003e using file monitoring rules.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint protection configurations to ensure they can detect and block credential dumping techniques as mentioned in the rule\u0026rsquo;s response and remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-lsass-shtinkering/","summary":"Attackers can enable full user-mode dumps system-wide via registry modification to facilitate LSASS credential dumping, allowing extraction of credentials from process memory without deploying malware.","title":"LSASS Credential Dumping via Windows Error Reporting (WER) Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-26-lsass-shtinkering/"}],"language":"en","title":"CraftedSignal Threat Feed — Wepw","version":"https://jsonfeed.org/version/1.1"}