_ _
/ | _| |_ _ _____ ___ ___ ___ ___ ___
_ / / | . | | | | . | _| . | _| -_|
|_|_/ |___|___|_|_|_| _|___|___|_| |___|
|_|
2018-10-27
Another alternative to LSASS dumping
====================================
TL;DR: Dumping credentials from LSASS may not always be trivial due to the
presence of EDR products, and bypassing such products may not always be
trivial. As an alternative, disconnected user sessions can be entered
without knowing the password of the user, when Task Manager can be launched
in SYSTEM context. This post illustrates the Token Duplication technique
that may be used to duplicate a process token from a process running as
SYSTEM, in order to start an instance of Task Manager as SYSTEM, such that
the victim user session can be entered without knowing the user's password.
# Background
This post is a continuation from the 'Alternative to LSASS dumping' post
that discuss the technique of using DLL search-order hijacking to get
malware executed in a high-privileged victim user's context, as an
alternative to dump the memory of LSASS.
On a red team engagement, we observed indicators of highly-privileged
users having authenticated against the compromised host after the last
reboot.
Therefore, we deemed it likely that their credentials were still cached in
the LSASS process memory space, ripe for dumping since we already had
gained local administrative privileges on the host. However, as we believed
that the present EDR solution was found to detect available dumping
techniques, alternatives were explored.
We observed that RDP sessions of high-privileged users were left
disconnected, however without the password of the user, we couldn't enter
their session, unless we could get an instance of Task Manager to run in
SYSTEM context.
# PsExec
We evaluated the viability of using PsExec to create a temporary service
running as SYSTEM to instantiate Task Manager in SYSTEM context, but
abandoned the idea, as we deemed it likely that service creation was
heavily monitored.
# Token Duplication
We evaluated the viability of using the well-known Token Duplication [1]
technique, to instantiate Task Manager in SYSTEM context, and decided to
proceed with the technique, and ended up with the following C# application
below to do so.
In brief, the technique works by accessing the token of a process running
in SYSTEM context, e.g. winlogon.exe, duplicating it, and then using it to
create a new instance of Task Manager in SYSTEM context. With Task Manager
running as SYSTEM, connecting to disconnected privileged sessions is
doable without knowing the password of the victim user.
Source:
github.com/magnusstubman/tokenduplicatorDemo:
youtu.be/UmwW0fpPBSg# Mitigation
Primary mitigations should consist of constraining user privileges such
that as few people as possible have administrative rights. Secondary
mitigations should consist of monitoring the usage of the sensitive Win32
APIs used in the code sample above, and alert upon potential malicious
usage.
# References
1:
attack.mitre.org/techniques/T1134/002