FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F

Post-Image

FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F

As you know, there are various ways of dumping credentials. On the endpoint, in most cases, credentials are gathered from the Local Security Authority Subsystem Service (LSASS).

Dumping credentials from the LSASS process can be done in various ways. The most straightforward way is using the Win32 API MiniDumpWriteDump. However, since this method is detected by almost every AV/EDR, we’re going to look at something a bit more advanced.

The MiniDumpWriteDump function is essentially a wrapper around reading memory from another process and writing it in the minidump format. Since the format is public, we can also get the same output by implementing this dumping functionality ourselves. One of the tools that has an implementation of MiniDumpWriteDump (along with many other features) is Nanodump, which is created by HelpSystems. Since this tool has an implementation of many different credential dumping methods, I strongly encourage you to start experimenting with it against your EDR and detection rules. In our experience, quite a lot of these credential dumping variations were not alerted on by EDRs. However, in most cases they can be detected by writing custom detections.

Most of the variations rely on a handle on the process, so that would be an interesting starting point.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-detecting-lsass-dumping-with-debug-privileges-0xff1f-328fdb78f5be

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday