Various LSASS Credentials Dumping Methods Detected by EDR

AhnLab SEcurity intelligence Center (ASEC) has posted the blog article “Account Credentials Theft in Domain Environments Detected by EDR” [1] that discusses threat actors stealing account credentials after taking control over the system in an Active Directory environment. Among the account credentials theft method, this article will cover in detail the various techniques of dumping NT Hash (a hash used for NTLM authentication protocol) saved in the LSASS process memory. The account credentials are saved in the LSASS process memory. The threat actor can dump the process memory then extract the account credentials from here. As a result, the act of dumping LSASS process memory is seen as suspicious behavior by security products. Hacking tools like Mimikatz, which uses such suspicious features, are thus major detection targets for security products. But, as the threat actors are also aware of such detection, instead of using hacking tools directly, they tend to use multiple legitimate tools maliciously to dump the LSASS process memory. Previously, the most common method using Sysinternals’ ProcDump was discussed as an example in the blog. However, various techniques such as Process Explorer, Task Manager, etc. can be used to bypass the security program’s detection. It is difficult to completely block all of these attempts with just the antivirus product, as the methods and tools can be used for normal use and purposes. AhnLab EDR (Endpoint Detection and Response) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on South Korea’s only self-behavior-based engine. AhnLab EDR continuously collects information related to suspicious behaviors to allow the user to precisely perceive threats from a detection, analysis, and response perspective and identify causes, respond with appropriate measures, and establish processes to prevent threat recurrence. 

1. LSASS Process

NTLM authentication is an authentication method that is used when a local user logs in, and is implemented at the “msv1_0.dll”. “msv1_0.dll” is loaded into the LSASS that is the lsass.exe process, where the NT Hash for the password used to login and the NT Hash saved in the Security Accounts Manager (SAM) are compared for authentication. Therefore, NT Hash also exists inside the lsass.exe process memory. Because it is a hash value created through a hash algorithm, the threat actor cannot obtain the password in plain text using NT Hash. The threat actor can still use multiple dictionary attack tools to obtain the password in plain text, or even directly obtain passwords in plain text by using features from Mimikatz. Even if the password cannot be obtained in plain text, if the threat actor can find the NT Hash of an account existing on another system, the threat actor can log into the system using the stolen account’s NT Hash. This is called a Pass-the-Hash attack. Since it is possible to attack the NTLM protocol using this method, it is not a problem for “lateral movement” even if the threat actor does not know the password in plain text. 

1. Mimikatz

Mimikatz is a program with features that extract account credentials in a Windows OS environment. Mimikatz provides a feature that uses basic commands to dump the LSASS process memory then shows the extracted NT Hash. As Mimikatz is an open-source tool published on GitHub, practical for extracting account credentials, threat actors often use Mimikatz in attacks.

Figure 1. GitHub page of Mimikatz Of course, because it is used for so many attacks, most security programs detect this as a major threat. As a result, threat actors use various legitimate tools to dump the LSASS process memory. Additional cases will be further discussed later in this article.

Figure 2. Detection logs on Mimikatz command – EDR Mimikatz’s “sekurlsa::logonpasswords” command is responsible for the entire process of directly dumping the LSASS process memory, extracting the NT Hash from the dumped information, and showing the final output. However, if the “sekurlsa::minidump” command is used at the same time, the account credentials can be extracted by reading the memory dump file saved in the system, without directly accessing the LSASS process. Therefore, the threat actors dump the LSASS process memory using legitimate tools, steals it, and extracts the NT Hash using the “sekurlsa::minidump” command from their environment. This allows them to find the account credentials without installing Mimikatz. 

1. ProcDump

Sysinternals’ ProcDump is a command line tool that supports the feature of dumping specific process memories. Sysinternals currently belongs to Microsoft. Therefore, the ProcDump tool is a legitimate file signed with Microsoft’s certificate like other similar files under Windows OS. Just as it has been covered numerous times by ASEC Blog articles in the past, ProcDump is a tool regularly used by attackers to dump LSASS process memory. The following figure is the screen of AhnLab EDR product showing the process of account credentials theft. It shows the process of dumping using ProcDump and extracting the created memory dump file by using Mimikatz to steal account credentials.

Figure 3. Detection log on suspicious ProcDump execution log – EDR AhnLab EDR uses the legitimate program of Sysinternals’ ProcDump to detect the action of LSASS process memory dump as a threat, allowing the administrator to be aware, identify causes, and respond with appropriate measures. 

1. Process Explorer

Process Explorer is also a tool developed by Sysinternals. As its name suggests, it shows the list of running processes, looks up for information, controls processes, and provides other various features. One thing to note is that among the features supported by Process Explorer, it also includes the feature of dumping specific process memories. As a result, it also allows LSASS process memory to be dumped, allowing attackers to abuse Process Explorer to extract account credentials.

Figure 4. Memory dumping feature supported by Process Explorer AhnLab EDR uses the legitimate program of Sysinternals’ Process Explorer to detect the action of LSASS process memory dump as a threat, allowing the administrator to be aware, identify causes, and respond with appropriate measures.

Figure 5. Detection log on the Process Explorer’s LSASS process memory dump – EDR 

1. Task Manager

Although ProcDump and Process Explorer are both legitimate files signed with Microsoft’s certificate, they are not tools provided by default in the Windows OS. If the tools installed by default in the Windows OS environment are used, extraction of account credentials should be possible without any suspicious activity such as installing additional tools externally. Windows OS supports the Task Manager (taskmgr.exe) tool by default. Like Process Explorer, it provides features such as looking up and controlling running processes. It also provides installed services or startup programs, user information, and various other features. One thing to note about Task Manager is that it also provides the feature to create a memory dump of running processes. For example, if a LSASS process memory dump is created like below, a dump file with the name “lsass.DMP” is created in the “TEMP%” path.

Figure 6. LSASS process memory dump using the Task Manager AhnLab EDR uses the Task Manager provided by default from the Windows OS to detect the dumping LSASS process memory as a threat, allowing the administrator to be aware, identify causes, and respond with appropriate measures.

Figure 7. Detection log on the Task Manager’s LSASS process memory dump – EDR 

1. Comsvcs.dll

“comsvcs.dll” is a DLL file in charge of COM+ service features, It is one of the system files installed by default in the Windows environment. One thing to note about “comsvcs.dll” is that it exports the “MiniDump” function which supports the feature of dumping specific process memory dump. Therefore, it allows the LSASS process memory dump.

Figure 8. Export functions of comsvcs.dll “Comsvcs.dll” is a DLL file so the rundll32.exe process can be typically used in order to execute. Additionally, to dump LSASS process memory, a debug privilege called SeDebugPrivilege is needed. However, the privilege can easily be activated when executing using administrator privilege. AhnLab EDR uses the “comsvcs.dll” provided by default in the Windows OS to detect the memory dumps as a threat, allowing the administrator to be aware, identify causes, and respond with appropriate measures.

Figure 9. Detection log on the comsvcs.dll LSASS process memory dump – EDR 

1. Conclusion

Attackers who target systems belonging to a specific network are likely looking to take over the entire network, and not just the target system. To do so, ultimately there needs to be a lateral movement of the management server and major systems. Account credentials are the necessary information needed for such lateral movement attacks. Attackers can typically use information that is poorly managed or extract account credentials using hacking tools like Mimikatz. The most widely used method of stealing account credentials is to dump LSASS process memory and extract NT Hash from it. However, using hacking tools to dump LSASS process memory can easily be detected by security tools. Because of this, attackers abuse legitimate tools to dump LSASS process memories instead. If legitimate tools are used like this to bypass the detection of security products, there is a limit to detecting and blocking such activities with just an antivirus product. AhnLab EDR detects attack techniques of stealing account credentials to eventually dominate the entire domain from attackers who have dominated a specific system. It allows the administrator to be aware, identify causes, and respond with appropriate measures. Behavior Detection – Execution/EDR.Mimikatz.M11444 – Execution/EDR.Behavior.M10484 – CredentialAccess/EDR.ProcExp.M11597 – CredentialAccess/EDR.Event.M11566 – CredentialAccess/EDR.Comsvcs.M11596