Wepw — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/wepw/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 26 Jan 2024 12:00:00 +0000LSASS Credential Dumping via Windows Error Reporting (WER) Abusehttps://feed.craftedsignal.io/briefs/2024-01-26-lsass-shtinkering/Fri, 26 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-26-lsass-shtinkering/Attackers can enable full user-mode dumps system-wide via registry modification to facilitate LSASS credential dumping, allowing extraction of credentials from process memory without deploying malware.The LSASS Shtinkering attack involves abusing Windows Error Reporting (WER) to dump the memory of the LSASS process, which contains sensitive credentials. By enabling full user-mode dumps system-wide, attackers can fake a crash on LSASS, causing WER to generate a dump file. This setting is not enabled by default and requires modifying the registry. The DeepInstinct researchers publicized this attack at Defcon 30, demonstrating a method to access credentials without directly injecting malware into the LSASS process. This technique allows attackers to bypass traditional endpoint detection mechanisms that focus on malware signatures, making it a stealthy approach to credential theft. Defenders should monitor for registry modifications related to WER dump settings to detect and prevent this attack.

Attack Chain

  1. The attacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.
  2. The attacker modifies the registry key HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType to the value 2 or 0x00000002 to enable full user-mode dumps system-wide.
  3. The attacker triggers a crash or fakes a crash of the LSASS process.
  4. Windows Error Reporting (WER) generates a full user-mode dump file of the LSASS process.
  5. The dump file is stored in the location specified in the registry, typically C:\ProgramData\Microsoft\Windows\WER\ReportQueue.
  6. The attacker accesses the generated dump file.
  7. The attacker extracts credentials from the LSASS dump file using tools like Mimikatz or custom scripts.
  8. The attacker uses the stolen credentials to move laterally within the network or access sensitive resources.

Impact

Successful exploitation can lead to the compromise of domain credentials and other sensitive information stored in LSASS memory, such as NTLM hashes and Kerberos tickets. This can enable attackers to move laterally within the network, escalate privileges, and access critical systems and data. A single compromised system can lead to a widespread breach affecting numerous users and systems. The sectors most vulnerable are those handling sensitive data or critical infrastructure.

Recommendation

  • Deploy the Sigma rule “Full User-Mode Dumps Enabled System-Wide” to your SIEM to detect suspicious registry modifications related to Windows Error Reporting (WER).
  • Examine process execution logs to identify any suspicious processes that may have triggered the dump, especially those not matching the legitimate svchost.exe process with user IDs S-1-5-18, S-1-5-19, or S-1-5-20 as described in the rule’s investigation guide.
  • Monitor for access to WER dump files located in C:\ProgramData\Microsoft\Windows\WER\ReportQueue using file monitoring rules.
  • Review and update endpoint protection configurations to ensure they can detect and block credential dumping techniques as mentioned in the rule’s response and remediation steps.
]]>mediumadvisorycredential-accesswindowslsasswepw