Hunting for Credential Dumping via LSASS Shtinkering | Threat SnapShot
ฝัง
- เผยแพร่เมื่อ 18 พ.ย. 2024
- In this week's Threat SnapShot, we break down a new technique for extracting credentials from memory -- LSASS Shtinkering. Shtinker, the Hebrew word for "snitch", implies that we're going to be snitching on LSASS. And indeed, this technique uses the built-in Windows Error Reporting service to create a memory dump of LSASS, which contains password hashes, tokens, and other authentication data. This technique has been on the rise as adversaries look for new, undetected ways of obtaining valid credentials, and LSASS dumping in particular is a shared technique across most ransomware gangs (Conti, Hive, Lockbit, and BlackByte, among others. We'll discuss a bit about how this technique works, as well as threat hunting and detection strategies that you can use to protect your organization.
References:
media.defcon.o...
github.com/dee...
github.com/hel...
SnapAttack Content:
app.snapattack... - Threat: LSASS Shtinkering
app.snapattack... - Threat: LSASS Shthinkering - nanodump
app.snapattack... - Detection: Possible LSASS Shtinkering - Registry Key Modification of DumpType
app.snapattack... - Detection: Evidence of LSASS Shtinkering - Dump File
app.snapattack... - Detection: Evidence of LSASS Shtinkering - AppCrash Reports
app.snapattack... - Detection: WerFault LSASS Process Memory Dump
app.snapattack... - Detection: WerFault Accessing LSASS
