Dump LSASS memory dump method

Time:2021-9-15

I saw an article about LSASS memory dump before. Learn to record it.

Lsass.exe (Local Security Authority Subsystem Service) process space contains important information such as the domain, local user name and password of the machine. If the local high permission is obtained, the user can access the LSASS process memory, so that the internal data (password) can be exported for horizontal movement and permission promotion.

In the windows environment, a well-known open source tool mimikatz (developed by Benjamin Delpy) can extract user names and passwords from LSASS memory data. However, running the corresponding tools directly may be detected by local AV products. Therefore, it becomes more and more common to send back after dumping LSASS process memory.

Known methods of dump LSASS

1. Microsoft signature document

  • ProcDump

    Procdump is a Microsoft signed legal binary file that is provided to dump process memory.

  • Task Manager

    Open the task manager, select the target process, click “create dump file” in the right-click menu, and save the file as% temp% \. DMP.

  • ProcExp

    Procdump and procdump are both legal tools provided by windows. This program can be considered as an upgraded version of task manager. It also creates dump files after right clicking the target process, including minidump and full dump. If you want to steal the user login credentials in LSASS, you should select all dump.

  • SQLDumper

    Sqldumper.exe is included in Microsoft SQL and office to generate a complete dump file.

  • Comsvcs.dll

    The file can be found in every windows system. Rundll32 can be used to execute its export function minidump to realize the full dump of the process.

  • CreateDump.exe

    Tools available in. Net 5.

2. Other tools / methods

  • One of the modules of powerploit, out minidump
  • Process Hacker
  • Avdump.exe (avast antivirus product component)

3. Full memory dump (refers to the dump of the entire RAM memory space, which takes a long time and takes up a large amount of disk space)

  • WinPmem
  • Rowcopy (export credentials from hibernfil.sys)
  • Get credentials from vmem / vmsn, which are virtual machine memory storage files

4. Custom dump

  • The minidumpwritedump method is exported from dbghelp.dll. This API calls ntreadvirtualmemory to read the memory data of the target process
  • MiniDumpWriteDump + PssCaptureSnapshot, which can be used to get a memory snapshot of the target process, and then calling MiniDumpWriteDump will read data from the snapshot memory instead of directly from the target process, making it easier to evade AV/EDR detection.

A new method of dump LSASS

This technology is related to the werfault.exe process. When a running process crashes, werfault.exe will dump the memory of the process. From this point of view, this behavior can be used to dump the memory of the target process.

This method relies on a mechanism called “silent process exit” introduced by win7, which provides the ability to trigger special actions for the monitored process in two cases:

(1) The monitored process calls exitprocess() to terminate itself;

(2) Other processes call terminateprocess() to end the monitored process.

After configuration, several actions that can be supported when the “silent process exit” mechanism is triggered include:

  • Start a monitoring process
  • Displays a pop-up window
  • Create a dump file

Here we mainly discuss the third method, that is, creating dump files.

To set “silent exit” monitoring for a process, several registry keys need to be preset:

  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\Under registry keyGlobalFlagValue: 0x200 (flg_monitor_silent_process_exit);

  2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\Three key values under the registry key:

    1)ReportingMode(reg_dword), which can be set to the following and has different functions:

      a)LAUNCH_MONITORPROCESS(0x1) – start the monitoring process;
      b)LOCAL_DUMP(0x2) – create a dump file for both the process causing the termination of the monitored process and the monitored process itself;
      c)NOTIFICATION(0x4) – pop up window is displayed.

    2)LocalDumpFolder(reg_sz) – the directory where dump files are stored. The default is%TEMP%\\Silent Process Exit

    3)DumpType– according toMINIDUMP_TYPEThe enumeration value specifies the type of dump file (micro, mini, heap or custom). The value of completely dumping the memory of the target process isMiniDumpWithFullMemory (0x2)。

Now we only need to terminate the target process to obtain the dump file of the corresponding file, but our purpose is to obtain the administrator login credentials in the LSASS process, and killing LSASS means that the system will restart. It not only increases the risk of being found, but also may cause the program to not run again.

  is there a method that can trigger the “silent process exit” mechanism without actually terminating the monitored process? There are still some. According to the author, it refers to the blogHexacorn’s blog(the blog has published a large number of research articles on the use of technology on the windows platform). It can be seen that when the process terminates, it will call from ntdll.dllRtlReportSilentProcessExitAPI, which will communicate with the windows error reporting service (wersvc under wersvcgroup) to inform the current process that a silent exit is being performed. Then, the wer service will start werfault.exe to dump the current process. It is worth noting that this API is calledWill not cause the process to exit。 This allows us to perform dump actions on the LSASS process without causing the LSASS to terminate.

NTSTATUS(NTAPI* RtlReportSilentProcessExit) (
       _In_     HANDLE     ProcessHandle,
       _In_     NTSTATUS   ExitStatus
       );

  the author uses two methods: one is to directly call rtlreportsilentprocessexit, and the other is to remotely create a thread in LSASS to execute rtlreportsilentprocessexit. Here, I just try to call rtlreportsilentprocessexit directly, and inject too many actions into other processes (lazy).

  by observing procmon, we can see that the process sequence is lsassdump.exe – > svchost.exe (wersvcgroup) – > werfault.exe. The dump file is created by wefault.exe with high running level.

  CODE

The detection method depends on the analysis and identification of the attack process.

As for another method of using silent process exit for persistence, I feel that it is not so practical if it is purely for persistence. It is better to protect malicious processes when they are deleted, such as restart or delayed restart, rename mobile restart, etc., but it is useless for professionals.

reference resources

https://www.deepinstinct.com/2021/01/24/lsass-memory-dumps-are-stealthier-than-ever-before/

https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit