OS Credential Dumping: LSASS Memory

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

  • procdump -ma lsass.exe lsass_dump

Locally, mimikatz can be run using:

  • sekurlsa::Minidump lsassdump.dmp
  • sekurlsa::logonPasswords

Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.[1]

The following SSPs can be used to access credentials:

  • Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
  • Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.[2]
  • Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
  • CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.[2]
ID: T1003.001
Sub-technique of:  T1003
Tactic: Credential Access
Platforms: Windows
Permissions Required: Administrator, SYSTEM
Data Sources: PowerShell logs, Process command-line parameters, Process monitoring
Contributors: Ed Williams, Trustwave, SpiderLabs
Version: 1.0
Created: 11 February 2020
Last Modified: 09 June 2020

Procedure Examples

Name Description
APT1

APT1 has been known to use credential dumping using Mimikatz.[9]

APT28

APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.[41][42]

APT3

APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig."[38]

APT32

APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.[49][50]

APT33

APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, and ProcDump to dump credentials.[53][54]

APT39

APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials. [52]

APT41

APT41 used the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.[57]

Blue Mockingbird

Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory.[62]

BRONZE BUTLER

BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.[37]

Cleaver

Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.[21]

CozyCar

CozyCar has executed Mimikatz to harvest stored credentials from the victim and further victim penetration.[28]

Daserf

Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.[22]

Emotet

Emotet has been observed dropping password grabber modules including Mimikatz. [25]

Empire

Empire contains an implementation of Mimikatz to gather credentials from memory.[16]

FIN6

FIN6 has used Windows Credential Editor for credential dumping.[47][48]

FIN8

FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).[40]

GreyEnergy

GreyEnergy has a module for Mimikatz to collect Windows credentials from the victim’s machine.[23]

Impacket

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.[18]

Ke3chang

Ke3chang has dumped credentials, including by using Mimikatz.[34][35]

LaZagne

LaZagne can perform credential dumping from memory to obtain account and password information.[8]

Lazarus Group

Lazarus Group leveraged Mimikatz to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers.[39]

Leafminer

Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz.[31]

Leviathan

Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE. [58]

Lslsass

Lslsass can dump active logon session password hashes from the lsass process.[9]

Magic Hound

Magic Hound stole domain credentials from Microsoft Active Directory Domain Controller and leveraged Mimikatz.[45]

Mimikatz

Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSASS Memory.[12][13][14][15]

MuddyWater

MuddyWater has performed credential dumping with Mimikatz.[32][33]

Net Crawler

Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.[21]

NotPetya

NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.[26][27][15]

OilRig

OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[43][44][45][46]

Okrum

Okrum was seen using MimikatzLite to perform credential dumping.[30]

Olympic Destroyer

Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.[24]

PLATINUM

PLATINUM has used keyloggers that are also capable of dumping credentials.[36]

PoetRAT

PoetRAT used voStro.exe, a compiled pypykatz (Python version of Mimikatz), to steal credentials.[29]

PoshC2

PoshC2 contains an implementation of Mimikatz to gather credentials from memory.[17]

PowerSploit

PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz.[19][20]

Pupy

Pupy can execute Lazagne as well as Mimikatz using PowerShell.[10]

Sandworm Team

Sandworm Team's plainpwd tool is a modified version of Mimikatz and dumps Windows credentials from system memory.[64][65]

Silence

Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.[61]

Soft Cell

Soft Cell used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.[56]

Stolen Pencil

Stolen Pencil gathers credentials using Mimikatz and Procdump. [51]

TEMP.Veles

TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials. [55]

Threat Group-3390

Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.[59][60]

Whitefly

Whitefly has used Mimikatz to obtain credentials.[63]

Windows Credential Editor

Windows Credential Editor can dump credentials.[11]

Mitigations

Mitigation Description
Credential Access Protection

With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping.[3][4]

Operating System Configuration

Consider disabling or restricting NTLM.[6] Consider disabling WDigest authentication.[7]

Password Policies

Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

Privileged Account Management

Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

Privileged Process Integrity

On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.[5]

User Training

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

Detection

Monitor for unexpected processes interacting with LSASS.exe.[66] Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.

Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[67] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

References

  1. Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.
  2. Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018.
  3. Lich, B. (2016, May 31). Protect derived domain credentials with Credential Guard. Retrieved June 1, 2016.
  4. NSA IAD. (2017, April 20). Secure Host Baseline - Credential Guard. Retrieved April 25, 2017.
  5. Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.
  6. Microsoft. (2012, November 29). Using security policies to restrict NTLM traffic. Retrieved December 4, 2017.
  7. Microsoft. (2014, May 13). Microsoft Security Advisory: Update to improve credentials protection and management. Retrieved June 8, 2020.
  8. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  9. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  10. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  11. Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved December 17, 2015.
  12. Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
  13. Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.
  14. Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017.
  15. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  16. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  17. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  18. SecureAuth. (n.d.). Retrieved January 15, 2019.
  19. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  20. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  21. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  22. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  23. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  24. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  25. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  26. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  27. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
  28. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  29. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  30. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  31. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  32. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  33. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  34. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  1. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  2. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  3. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  4. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  5. Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
  6. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  7. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  8. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  9. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  10. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  11. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  12. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  13. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  14. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  15. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  16. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  17. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  18. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  19. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  20. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  21. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  22. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  23. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  24. Plan, F., et all. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
  25. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  26. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  27. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  28. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  29. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
  30. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  31. Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
  32. French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.
  33. PowerSploit. (n.d.). Retrieved December 4, 2014.