Attack on Demand: Credential Access using LSASS
Updated: May 24
This article provides a demonstration and context for the Credential Access using LSASS Attack on Demand packages that are a part of the Continuous Intelligent Red Team (CIRT) Insider Threat module.
When an attacker first gains access to a host, one of their early goals is to seize as many credentials as possible. This increases the likelihood that they will have the permissions needed to maneuver through the compromised network and achieve their objective - usually stealing or encrypting your valuable data.
On a Microsoft Windows host, one of the most common tactics that an attacker will use to seize credentials is to dump the process memory of the Local Security Authority Subsystem Service (LSASS), which Windows uses to store credentials and protected data that the operating system needs. With the output of the LSASS memory, the attacker can use a tool like Mimikatz to extract important credentials the attacker can use to advance their attack.
An attacker has gained initial Administrator access to the host you're testing, and now needs to collect credentials that will allow them to maneuver to additional hosts or shared resources in your network, in order to gain access to the data they are seeking to steal or ransom.
Microsoft Windows 10 Host
Attack Package Descriptions
Currently, there are two available options available to test your security against this tactic - Credential Access using LSASS and Credential Access Using LSASS and Mimikatz. The steps taken gain execution and dump LSASS memory are identical in both. For the option with Mimikatz, the test will attempt to extract the credentials from the dumped LSASS memory on the host being targeted.
Advanced attackers are more likely to exfiltrate the dumped LSASS memory and use Mimikatz or other tools to extract credentials, since Mimikatz is a well-known and commonly-detected attack tool by security solutions and increases the chances that the attack will be disrupted.
Attack Package Steps
Once the execution script is run as Administrator, the following actions will occur:
Internet connectivity will be tested by attempting to ping www.breachbits.com
The BreachBits BlueShadow loader will be downloaded from the BreachBits attack infrastructure using one of the following native Windows utilities:
Curl (only available in recent Windows 10 releases)
Windows utility Rundll32.exe will be used to inject the BlueShadow Dynamic Link Library (DLL) into memory.
Read more about this common execution and defense evasion tactic here: https://attack.mitre.org/techniques/T1218/011/
BlueShadow will download the payload needed to dump LSASS memory (and Mimikatz for the option with Mimikatz)
BlueShadow will attempt to dump the LSASS memory and write it to a file on the Desktop. This file stays on the host being tested.
(Mimikatz Package Only) BlueShadow will use Mimikatz to extract credentials and hashes from the LSASS memory file. This file stays on the host being tested.
Results and Next Steps
The best (and most secure) result of tests using these Attack on Demand packages is your security solution stopping BlueShadow from dumping LSASS memory at all. While dumping the memory of a process is not malicious by itself, the fact that the memory of such a sensitive process is being dumped, along with the sheer volume of memory that is dumped should trigger your endpoint security solution to detect (and ideally stop) this behavior, keeping your credentials secure from attackers attempting this tactic to expand their access move laterally through your network.
If your endpoint security solution allowed the dumping of LSASS memory, we recommend reviewing any documentation related to your endpoint security solution to identify any configuration changes that may be made to increase the sensitivity of your solution, in order to stop an attacker from using this tactic successfully to gain access to your sensitive credentials.