Dumping Lsass with trusted processes

渗透技巧 10个月前 admin
164 0 0
In today’s blog we will go through some points like:
在今天的博客中,我们将介绍一些要点,例如:
  • What is LSASS 什么是LSASS
  • Why LSASS 为什么选择LSASS
  • LSASS Dumping Techniques LSASS倾倒技术
  • ASR Rules ASR 规则
  • Proof of Concept 概念验证
  • Demo 演示
  • References 引用
What is LSASS 什么是LSASS
LSASS (Local Security Authority Subsystem Service) is the process on Microsoft Windows that handles all user authentication, password changes, creation of access tokens, and enforcement of security policies. This means the process stores multiple forms of hashed passwords, and in some instances even stores plaintext user passwords. So with that we can undetstand that Lsass is very important process. We can find the lsass process in task manger -> Details -> lsass.exe:
LSASS(本地安全机构子系统服务)是 Microsoft Windows 上处理所有用户身份验证、密码更改、访问令牌创建和安全策略实施的过程。这意味着该过程存储多种形式的散列密码,在某些情况下甚至存储纯文本用户密码。 因此,我们可以发现Lsass是非常重要的过程。 我们可以在任务管理器中找到 lsass 流程 -> 详细信息 -> lsass.exe:
Dumping Lsass with trusted processes
LSASS contains valuable authentication data such as:
LSASS 包含有价值的身份验证数据,例如:
  • encrypted passwords 加密密码
  • NT hashes  NT 哈希
  • LM hashes  LM 哈希
  • Kerberos tickets 科贝罗斯门票
  • Cleartext credentials (if wdigest is enabled)
    明文凭据(如果启用了摘要)
Why LSASS? 为什么选择LSASS?
Adversaries or attackers commonly abuse the Local Security Authority Subsystem Service (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory.
攻击者或攻击者通常滥用本地安全机构子系统服务 (LSASS) 来转储凭据以进行权限提升、数据盗窃和横向移动。对于对手来说,该过程是一个富有成效的目标,因为它在内存中存储了大量的敏感信息。
LSASS Dumping Techniques LSASS倾倒技术
There are several techniques and tools to dump lsass such as:
有几种技术和工具可以转储 lsass,例如:
  • Task Manager 任务管理器
  • Procdump
  • comsvcs.dll
  • Mimikatz 米米卡茨
  • PPLdump  PPLdump
  • HandleKatz  汉德卡茨
  • nanodump  纳米转储
  • safetykatz 安全卡茨
  • …….
ASR Rules ASR 规则
Attack surface reduction rules (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. ASR can help detect and prevent targeted exploits. By restricting the ways in which attackers can infiltrate a system, ASR provides an additional layer of defense against cyber threats. Below picture we can see all ASR rules and GUID
攻击面减少规则 (ASR 规则) 有助于防止恶意软件经常滥用以危害设备和网络的操作。ASR 可以帮助检测和防止有针对性的攻击。通过限制攻击者渗透系统的方式,ASR 提供了针对网络威胁的额外防御层。 下图我们可以看到所有 ASR 规则和 GUID
Dumping Lsass with trusted processes
ASR Rules ASR 规则
Proof Of Concept 概念验证
So now, After we understand what is lsass and why it’s important for the attackers. Now we will go from the attacker’s side to see how to exploit it and extract the information. When we try the above techniques Microsoft defender will flag it as malicious because the ASR rule prevents untrusted processes from having direct access to LSASS memory. The picture below explains the Lsass ASR rule:
所以现在,在我们了解什么是 lsass 以及为什么它对攻击者很重要之后。现在,我们将从攻击者的角度出发,了解如何利用它并提取信息。当我们尝试上述技术时Microsoft防御者会将其标记为恶意,因为 ASR 规则阻止不受信任的进程直接访问 LSASS 内存。下图解释了Lsass ASR规则:
Dumping Lsass with trusted processes
Lsass Rule 拉萨斯规则
After we understand the above rule now our goal is finding a process that is trusted for direct access. After searching on the internet, I found an interesting repository on github that contains all the ASR rules:
现在,在了解上述规则之后,我们的目标是找到一个受信任的直接访问进程。在互联网上搜索后,我在github上找到了一个有趣的存储库,其中包含所有ASR规则:
Dumping Lsass with trusted processes
GitHub – HackingLZ/ExtractedDefender
GitHub
Then we go for Lsass rule (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) page to read the rule. Below picture shows the rule Name,Description and GetMonitoredLocations.
然后我们去Lsass规则(9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)页面来阅读规则。 下图显示了规则名称,描述和获取监视位置。
Dumping Lsass with trusted processes
Information 信息
So, it functions by filtering the handle returned from OpenProcess to remove read access to the process memory, this preventing its content from being dumped. But at the same time, we found GetPathExclusions that contain all the processes that are excluded to have direct access to the LSASS process.
因此,它通过过滤从 OpenProcess 返回的句柄来删除对进程内存的读取访问权限,从而防止其内容被转储。但与此同时,我们发现 GetPathExclusions 包含所有被排除为可以直接访问 LSASS 进程的进程。
Dumping Lsass with trusted processes
GetPathExclusions  获取路径排除项
And also, we can do it in the manual way. First we need to locate the Defender signature files. And we can find these in the following location: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup
而且,我们可以以手动方式完成。首先,我们需要找到 Defender 签名文件。我们可以在以下位置找到这些: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup
In our case, we are primarily interested in the mpasbase.vdm file that contain signatures, emulation resources, etc. Then we use this tool to extract it:
在我们的例子中,我们主要对包含签名、仿真资源等的 mpasbase.vdm 文件感兴趣。然后我们使用这个工具来提取它:
GitHub – hfiref0x/WDExtract: Extract Windows Defender database from vdm files and unpack it
GitHub – hfiref0x/WDExtract:从 vdm 文件中提取 Windows Defender 数据库并将其解压缩
GitHub
Then we will have mpasbase.vdm.extracted file. After that, we opened the extracted file in HxD to search for the GUID of the ASR rule that we wanted to investigate and in our case we searched for Lsass rule (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2):
然后我们将有mpasbase.vdm.extract文件。之后,我们在 HxD 中打开提取的文件以搜索我们要调查的 ASR 规则的 GUID,在本例中,我们搜索了 Lsass 规则 (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2):
Dumping Lsass with trusted processes
And in the picture below we see all the excluded programs for Lsass ASR rule:
在下图中,我们看到了Lsass ASR规则的所有排除程序:
Dumping Lsass with trusted processes
#Note: It’s important to keep in mind that the list of paths you may see here in the hex dump are not always exclusions. So You will need to do some testing or you can use the above link to the GitHub repository that includes this already extracted data for you
#Note:请务必记住,您在十六进制转储中可能在此处看到的路径列表并不总是排除项。因此,您将需要进行一些测试,或者您可以使用上面的GitHub存储库链接,其中包含已为您提取的数据
After we find and understand what we need now, it’s time to let one of these processes access Lsass and dump it. But how will this happen? We will use (Process Hollowing) technique.
在我们找到并了解我们现在需要的东西之后,是时候让其中一个进程访问 Lsass 并转储它了。但这将如何发生?我们将使用(工艺镂空)技术。
Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code.
进程挖空通常通过创建一个处于挂起状态的进程,然后取消映射/掏空其内存来执行,然后可以用恶意代码替换。
You will be wondering why we create a process in a suspended state ? The idea here is to launch a legitimate process, then replace the content of the process with malicious code and then resume it. The picture below is a simple example for the technique:
你会想知道为什么我们创建一个处于挂起状态的进程?这里的想法是启动一个合法的进程,然后用恶意代码替换进程的内容,然后恢复它。下图是该技术的简单示例:
Dumping Lsass with trusted processes
To achieve this with Process hollowing, we will create a program with the below windows APIs and we will use Lsass dumping shellcode but encrypted with XOR and decrypted when it’s running:
为了通过进程挖空来实现这一点,我们将使用以下 Windows API 创建一个程序,我们将使用 Lsass 转储外壳代码,但使用 XOR 加密并在运行时解密:
Dumping Lsass with trusted processes
Process hollowing 工艺镂空
So, first in our case we use CreateProcess to lunch (mrt.exe) process with suspended state
因此,首先在我们的例子中,我们使用 创建进程 午餐 (mrt.exe) 进程 暂停状态
Dumping Lsass with trusted processes
CreateProcess 创建进程
Then we query the process using ZwQueryInformationProcess
然后我们使用 ZwQueryInformationProcess 查询进程
Dumping Lsass with trusted processes
ZwQueryInformationProcess
After that read the bytes from the process using ReadProcessMemory
之后,使用ReadProcessMemory从进程中读取字节
Dumping Lsass with trusted processes
Now we will copy the shellcode, but first we need to have a shellcode to dump lsass for us and we found it in this blog:
现在我们将复制shellcode,但首先我们需要有一个shellcode来为我们转储lsass,我们在这个博客中找到了它:
Dumping Lsass with trusted processes
Shellcode to Dump the Lsass Process
用于转储 Lsass 进程的外壳代码
?Blog of Osanda ?奥桑达博客
An extra step to evade detection is we use XOR to encrypt the above shellcode:
逃避检测的另一个步骤是我们使用 XOR 来加密上面的外壳代码:
Dumping Lsass with trusted processes
After XORing our shellcode, we copy it into our program and also use the xor decrypt function to decrypt the shellcode:
在对我们的外壳代码进行异或运算后,我们将其复制到程序中,并使用异或解密函数来解密外壳代码:
Dumping Lsass with trusted processes
Then we write our shellcode using WriteProcessMemory
然后我们使用 WriteProcessMemory 编写我们的 shellcode
Dumping Lsass with trusted processes
And the final thing is to resume the thread using ResumeThread
最后一件事是使用 ResumeThread 恢复线程
Dumping Lsass with trusted processes
Now it’s time to test our program on Windows machine with MD and ASR rule enabled.
现在是时候在启用了 MD 和 ASR 规则的 Windows 机器上测试我们的程序了。
Demo 演示
In the below demo’s we tested our program with two technique:
在下面的演示中,我们用两种技术测试了我们的程序:
Locally 本地
Dumping Lsass with trusted processes
Remotely ( without touching desk )
远程(无需触摸办公桌)
Dumping Lsass with trusted processes

原文始发于pwn3dx:Dumping Lsass with trusted processes

版权声明:admin 发表于 2023年9月20日 上午8:55。
转载请注明:Dumping Lsass with trusted processes | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...