Dumping Lsass with trusted processes

渗透技巧 7个月前 admin

152 0 0

In today’s blog we will go through some points like:
在今天的博客中，我们将介绍一些要点，例如：

What is LSASS 什么是LSASS

Why LSASS 为什么选择LSASS

LSASS Dumping Techniques LSASS倾倒技术

ASR Rules ASR 规则

Proof of Concept 概念验证

Demo 演示

References 引用

What is LSASS 什么是LSASS

LSASS (Local Security Authority Subsystem Service) is the process on Microsoft Windows that handles all user authentication, password changes, creation of access tokens, and enforcement of security policies. This means the process stores multiple forms of hashed passwords, and in some instances even stores plaintext user passwords. So with that we can undetstand that Lsass is very important process. We can find the lsass process in task manger -> Details -> lsass.exe:
LSASS（本地安全机构子系统服务）是 Microsoft Windows 上处理所有用户身份验证、密码更改、访问令牌创建和安全策略实施的过程。这意味着该过程存储多种形式的散列密码，在某些情况下甚至存储纯文本用户密码。因此，我们可以发现Lsass是非常重要的过程。我们可以在任务管理器中找到 lsass 流程 -> 详细信息 -> lsass.exe：

LSASS contains valuable authentication data such as:
LSASS 包含有价值的身份验证数据，例如：

encrypted passwords 加密密码

NT hashes NT 哈希

LM hashes LM 哈希

Kerberos tickets 科贝罗斯门票

Cleartext credentials (if wdigest is enabled)
明文凭据（如果启用了摘要）

Why LSASS? 为什么选择LSASS？

Adversaries or attackers commonly abuse the Local Security Authority Subsystem Service (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory.
攻击者或攻击者通常滥用本地安全机构子系统服务（LSASS）来转储凭据以进行权限提升、数据盗窃和横向移动。对于对手来说，该过程是一个富有成效的目标，因为它在内存中存储了大量的敏感信息。

LSASS Dumping Techniques LSASS倾倒技术

There are several techniques and tools to dump lsass such as:
有几种技术和工具可以转储 lsass，例如：

Task Manager 任务管理器

Procdump

comsvcs.dll

Mimikatz 米米卡茨

PPLdump PPLdump

HandleKatz 汉德卡茨

nanodump 纳米转储

safetykatz 安全卡茨

…….

ASR Rules ASR 规则

Attack surface reduction rules (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. ASR can help detect and prevent targeted exploits. By restricting the ways in which attackers can infiltrate a system, ASR provides an additional layer of defense against cyber threats. Below picture we can see all ASR rules and GUID
攻击面减少规则（ASR 规则）有助于防止恶意软件经常滥用以危害设备和网络的操作。ASR 可以帮助检测和防止有针对性的攻击。通过限制攻击者渗透系统的方式，ASR 提供了针对网络威胁的额外防御层。下图我们可以看到所有 ASR 规则和 GUID

ASR Rules ASR 规则

Proof Of Concept 概念验证

So now, After we understand what is lsass and why it’s important for the attackers. Now we will go from the attacker’s side to see how to exploit it and extract the information. When we try the above techniques Microsoft defender will flag it as malicious because the ASR rule prevents untrusted processes from having direct access to LSASS memory. The picture below explains the Lsass ASR rule:
所以现在，在我们了解什么是 lsass 以及为什么它对攻击者很重要之后。现在，我们将从攻击者的角度出发，了解如何利用它并提取信息。当我们尝试上述技术时Microsoft防御者会将其标记为恶意，因为 ASR 规则阻止不受信任的进程直接访问 LSASS 内存。下图解释了Lsass ASR规则：

Lsass Rule 拉萨斯规则

After we understand the above rule now our goal is finding a process that is trusted for direct access. After searching on the internet, I found an interesting repository on github that contains all the ASR rules:
现在，在了解上述规则之后，我们的目标是找到一个受信任的直接访问进程。在互联网上搜索后，我在github上找到了一个有趣的存储库，其中包含所有ASR规则：

GitHub – HackingLZ/ExtractedDefender

GitHub

Then we go for Lsass rule (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) page to read the rule. Below picture shows the rule Name,Description and GetMonitoredLocations.
然后我们去Lsass规则（9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2）页面来阅读规则。下图显示了规则名称，描述和获取监视位置。

Information 信息

So, it functions by filtering the handle returned from OpenProcess to remove read access to the process memory, this preventing its content from being dumped. But at the same time, we found GetPathExclusions that contain all the processes that are excluded to have direct access to the LSASS process.
因此，它通过过滤从 OpenProcess 返回的句柄来删除对进程内存的读取访问权限，从而防止其内容被转储。但与此同时，我们发现 GetPathExclusions 包含所有被排除为可以直接访问 LSASS 进程的进程。

GetPathExclusions 获取路径排除项

And also, we can do it in the manual way. First we need to locate the Defender signature files. And we can find these in the following location: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup
而且，我们可以以手动方式完成。首先，我们需要找到 Defender 签名文件。我们可以在以下位置找到这些： C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup

In our case, we are primarily interested in the mpasbase.vdm file that contain signatures, emulation resources, etc. Then we use this tool to extract it:
在我们的例子中，我们主要对包含签名、仿真资源等的 mpasbase.vdm 文件感兴趣。然后我们使用这个工具来提取它：

GitHub – hfiref0x/WDExtract: Extract Windows Defender database from vdm files and unpack it
GitHub – hfiref0x/WDExtract：从 vdm 文件中提取 Windows Defender 数据库并将其解压缩

GitHub

Then we will have mpasbase.vdm.extracted file. After that, we opened the extracted file in HxD to search for the GUID of the ASR rule that we wanted to investigate and in our case we searched for Lsass rule (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2):
然后我们将有mpasbase.vdm.extract文件。之后，我们在 HxD 中打开提取的文件以搜索我们要调查的 ASR 规则的 GUID，在本例中，我们搜索了 Lsass 规则（9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2）：

And in the picture below we see all the excluded programs for Lsass ASR rule:
在下图中，我们看到了Lsass ASR规则的所有排除程序：

#Note: It’s important to keep in mind that the list of paths you may see here in the hex dump are not always exclusions. So You will need to do some testing or you can use the above link to the GitHub repository that includes this already extracted data for you
#Note：请务必记住，您在十六进制转储中可能在此处看到的路径列表并不总是排除项。因此，您将需要进行一些测试，或者您可以使用上面的GitHub存储库链接，其中包含已为您提取的数据

After we find and understand what we need now, it’s time to let one of these processes access Lsass and dump it. But how will this happen? We will use (Process Hollowing) technique.
在我们找到并了解我们现在需要的东西之后，是时候让其中一个进程访问 Lsass 并转储它了。但这将如何发生？我们将使用（工艺镂空）技术。

Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code.
进程挖空通常通过创建一个处于挂起状态的进程，然后取消映射/掏空其内存来执行，然后可以用恶意代码替换。

You will be wondering why we create a process in a suspended state ? The idea here is to launch a legitimate process, then replace the content of the process with malicious code and then resume it. The picture below is a simple example for the technique:
你会想知道为什么我们创建一个处于挂起状态的进程？这里的想法是启动一个合法的进程，然后用恶意代码替换进程的内容，然后恢复它。下图是该技术的简单示例：

To achieve this with Process hollowing, we will create a program with the below windows APIs and we will use Lsass dumping shellcode but encrypted with XOR and decrypted when it’s running:
为了通过进程挖空来实现这一点，我们将使用以下 Windows API 创建一个程序，我们将使用 Lsass 转储外壳代码，但使用 XOR 加密并在运行时解密：

Process hollowing 工艺镂空

So, first in our case we use CreateProcess to lunch (mrt.exe) process with suspended state
因此，首先在我们的例子中，我们使用创建进程午餐（mrt.exe）进程暂停状态

CreateProcess 创建进程

Then we query the process using ZwQueryInformationProcess
然后我们使用 ZwQueryInformationProcess 查询进程

ZwQueryInformationProcess

After that read the bytes from the process using ReadProcessMemory
之后，使用ReadProcessMemory从进程中读取字节

Now we will copy the shellcode, but first we need to have a shellcode to dump lsass for us and we found it in this blog:
现在我们将复制shellcode，但首先我们需要有一个shellcode来为我们转储lsass，我们在这个博客中找到了它：

Shellcode to Dump the Lsass Process
用于转储 Lsass 进程的外壳代码

?Blog of Osanda ?奥桑达博客

An extra step to evade detection is we use XOR to encrypt the above shellcode:
逃避检测的另一个步骤是我们使用 XOR 来加密上面的外壳代码：

After XORing our shellcode, we copy it into our program and also use the xor decrypt function to decrypt the shellcode:
在对我们的外壳代码进行异或运算后，我们将其复制到程序中，并使用异或解密函数来解密外壳代码：