By Waseem Akram on 10/17/2024
Today we’ll dump LSASS.EXE process memory to obtain credentials and we also will be using some evasion techniques. During red team...
Hello dear hackers!
Today we’ll dump LSASS.EXE process memory to obtain credentials and we also will be using some evasion techniques. Inspired by Dumpert
During red team operations you may need to get credentials to reuse them or/and maintain access but if you try to use Mimikatz to do this, is highly probable to be detected so instead of that we can dump the LSASS.EXE memory process which takes core of the security policies and it means Local Security Authority Subsystem Service. This technique must be done as Administrator because the process runs with high privileges and SeDebugPrivilege is required in order to interact with the LSASS process.
The general workflow of the program will be like this:
The first part of the program will use direct syscalls as evasion technique (Hell’s Gate & Halo’s Gate) but we’ll apply more techniques later.
Let’s import necessary packages, if you haven’t installed my library execute this:
Now we continue:
In this post we also will be using my own malware development library which has tons of useful functions but today we just will use it to implement direct syscall via Hell’s Gate and Halo’s Gate techniques. However the rest of the program like API unhooking will be done by hand.
I won’t dig this to deep but here we define required structures, most of them are used to interact with processes or session tokens later:
As I said before we need to have SeDebugPrivilege enabled in order to interact with LSASS.EXE process so let’s code a function which enables it using some Windows calls like LookupPrivilegeValueW
and AdjustTokenPrivileges
:
There are some comments along the code but in case you don’t wanna read every letter, this function follows this structure:
Now we create a function to check administrator rights, for our purpose we’ll check if user is inside admins group. If someone executes the program as non-privileged user it returns an error
This function uses AllocateAndInitializeSid API call to retrieve SIDs information and then it checks if the user is part of the Administrators group. If the user is an admin, it returns true
, otherwise it returns false
.
Let’s take a look about how to find lsass.exe
PID. First of all we have to use some API calls like CreateToolhelp32Snapshot
and Process32Next
, I think that they are never detected as malicious or something like that because they just enumerate and list processes so we don’t have to do anything special.
However in this case we’ll be using a modified version of a function from https://github.com/mitchellh/go-ps/blob/master/process_windows.go
Once we also have that, let’s start with the main part… the LSASS.EXE
process dump
This function will receive the process ID (PID) and a string which is the file where the process dump will be written to
We use hooka
to retrieve direct syscalls (see here for references), I only use it with NtOpenProcess however I also wanted to use it with NtCreateFile
but it was really hard so I let you to do that. We will use CreateFileW
instead
As you see, this piece of code firstly opens the given PID to get a handle to the process, then it creates a file in which dump is writen and finally calls MiniDumpWriteDump
which writes process memory to file handle.
At this point we just have to create the main()
function of every Golang script and adding some extra output logging:
Let’s add some logging to the code to provide a better output. And finally add some cool banner using manytools.org automatic generator
And here it’s the final code
If you have any doubt or you wanna ask me anything, contact me via Instagram or Twitter
Let’s go testing it!
First of all we compile our code:
Now we transfer it to our testing Windows machine and let’s execute it
As you can see it seems to have worked. If I list the files we notice that the dump file was created as expected!
Now you can use Mimikatz (or pypykatz if using linux) to extract credentials from memory dump
if all has gone right you should be able to see the info and some credentials
Now let's hard the technique to evade possible security measures. In this ocassion we'll be unhooking native API functions before doing anything so the rest of syscalls will be done without being detected
If you don’t know how API unhooking works you have some excellent posts from ired.team, @MDSec and @SpecialHoang in which they explain it really great.
How will this affect to MiniDumpWriteDump
? Well, you probably would have noticed that this function isn’t part of the native API (ntdll.dll
), and you’re right but this function uses NtReadVirtualMemory
under the hood so if that function isn’t being hooked by any AV/EDR it won’t probably be flagged. You may also think that the same syscalls which are used to unhook native API (i.e. NtWriteVirtualMemory
) will even be detected as they’re being called, but that’s why we use direct syscalls via Hell’s Gate and Halo’s Gate techniques.
So the evasion workflow will be something like this:
Before coding this technique, let’s check if the MiniDumpWriteDump calls NtReadVirtualMemory under the hood with WinDbg
First of all we open WinDbg with administrator privs as program needs to be executed with high privs.
Then we click on Open Executable and select the generated.exe
We add a breakpoint on the NtReadVirtualMemory
function and continue the program execution. As you can see we hitted the breakpoint so we were right. In this case the syscall starting bytes are 4c 8b d1 b8
which means that the function isn’t hooked but in a monitorized environment it would probably be
Let’s move the explanation into Golang code
Repeat the same process compiling the code and executing it.
Now we execute the new binary
And the dump file is created too!
As you see this technique is useful because it doesn’t use Mimikatz but instead use MiniDumpWriteDump API call which is sometimes easy to detect by EDRs. That’s why we use some evasion tricks. I hope you’ve learned a lot:)
Source code here
See you in the next post!
Today we’re gonna see an effective technique to mantain access in Windows systems during red team operations just by modifying a registry key...
Read MoreToday we’ll learn an advanced shellcode injection technique used by Lazarus group which uses UuidFromStringA API call. In this technique, the malware..
Read MoreInstahack is a security tool officially designed to test the password strength of Instagram accounts using termux and kali with a brute force attack...
Read MoreToday we’re gonna see a simple malware development technique, Shellcode injection via CreateRemoteThread in Golang...
Read MoreToday we'll see how we can use Golang internal functions from syscall and golang.org/x/sys/windows packages to call Windows API. Other languages like C o C++ are specifically
Read MoreThe basename command in Linux is used to extract the last element of a file path. This is particularly helpful in bash scripts where you only need the...
Read More