LSASS Dumping Using DFIR Tools
ฝัง
- เผยแพร่เมื่อ 8 มิ.ย. 2024
- In today's video, I show a way to dump LSASS without dumping just the LSASS process. We are using DFIR tools to dump all of the memory, exfil the file created, and then dump the credentials of the box. This is a foolproof method and will get by almost every EDR solution. You will have to deal with a large file size, but in today's day and age, this isn't as big of a problem as it has been in the past.
WinPmem
github.com/Velocidex/WinPmem/...
Volatility
github.com/volatilityfoundati...
Chapters
00:00 Introduction
00:28 Credential Guard
02:05 WinPmem
04:18 Dumping Memory
05:31 SIEM Rules for Detection of Memory Dumping
07:52 Dumping Creds with Volatility
10:36 Please Turn on Credential Guard! Do IT Now!
10:57 Outro - วิทยาศาสตร์และเทคโนโลยี
As always. This channel is gold. Thanks!
Very cool. I always enjoy learning new things from your videos! They give me great ideas for different detections.
Cool, thanks
This was amazing and I will be using this lol thank you!
Awesome technique, learned something knew today, thanks!
Nice! Glad you learned something.
Great!!, I like computer forensic, and I will keep this topic in mind.
Great content. i learn a lot from you as a red teamer. My question is, how did you learn or know about this.
This one was brought on by a fleeting chat in a SANS chat room and experimentation. I am lucky to be around other smart people with great ideas that I can test and make into reality.
Funny I used the same technique with remote magnet capture but had trouble parsing out lsass with volatility. SAM worked great.
I have done similar remotely with PCIleach installed as a service.
@@CyberAttackDefense sounds similar to phymem2profit maybe? BTW what is the best way to reach you. I am a solo operator right now and always need people to bounce ideas off of😅.
Twitter DM
Hi Brian, thank you so much the content you are putting out. In terms of detection, would it not be more robust to look for the winpmem driver hash? As modifying it would invalidate the signature. Of course, assuming that we would have the detection capabilities and incentives
Look for both :)
Great video !!!
Unfortunately Microsoft requirements for Credential Guard are pretty "heavy". For example it will work only on windows Enterprise edition.
Very true! This is the reason many orgs didn’t implement this control. Implement where possible.
Wow bro make more ❤❤❤
Wow
This is a great share. I am using it and dumped the RAM, and from it the SAM hashes using volatility3. However, it would be more useful to get the actual NTLM hashes of the AD users, and this is not in the LSA secrets method from volatility3. I thought, that maybe if I carved out somehow the process data from the Lsass.exe that is in the RAM dump it would be possible to analyze it with mimikatz minidump locally. But it just fails. Am I doing something that makes no sense?
The hashes from volatility are the ntlm hashes. You can crack or pass them.
thank you for the reply@@CyberAttackDefense. I get the local user hashes from the volatility3 plugin windows.hashdump and mimikatz returns also the NT hashes of the AD users in the same host. So I was wondering if it is possible to convert the output from Winpmem and use it on mimikatz offline. I know the DA NTLM hash is there, and then just need to pass it to end the test
@@franciscog7110 You can dump the process with volatility and run mimikatz against it. Did you try using memdump? or if you have an older version of volatility there is a mimikatz plugin.
Then how to bypass credential guard?
So you can’t really bypass credential guard. There are some other methods but the closest I have seen was what Oliver Lyak did here. research.ifcr.dk/pass-the-challenge-defeating-windows-defender-credential-guard-31a892eee22
@@CyberAttackDefense thanks for sharing!
Was that from a low-priv user??
No this is assuming admin. Find an escalation path first.
Okay, i see...the goal here is being quiet and stealthy!! Thank you
Man, stop burning tools just like that😅
Oh I have better! Not burning my real secrets