LSASS - What should we be doing?

thank you so much robert wilson i'm the uh director of security operations and incident response for what i now have to call u of sc we're not allowed to call ourselves usc anymore um so that's a whole big question that we can talk about afterwards um so right up the road up interstate 20. um so today i'm going to talk about lsas but first i wanted to tie this back to the miter attack framework just because anytime i give one of these talks i want to kind of see what people know and whether or not they've heard about the miter attack framework i think we're far enough along since it's been released where almost everyone does

but if there's anyone that's a student or they're they're switching into going to cyber security or whatever um tying things back to the miter attack framework allows us to work with a common taxonomy for tactics and techniques so it allows my friend kenny from breach quest is here so i can go and talk to kenny about credential dumping and we'll all be talking about the same thing so the specific technique and sub technique that i'm going to talk about today is uh dumping lsas memory so um i have to talk about windows a little bit um because this sub technique that we're going to talk about lsas is a windows problem so i'm going to tell you right off the

bat uh lsas is way more complex than something like in linux where you have etsy password and etsy shadow separated from each other elsas is a huge set of um modules that do a bunch of different things and uh protecting windows is not easy at all uh just if you don't work if you if you didn't come into this from being a system administrator which i know a lot of people started off as sysadmins windows is complex so i've actually spoken here a couple previous times about the windows firewall and doing some event forwarding stuff windows has a lot of technologies that people might not be familiar with but it also has a huge attack surface and it's used pretty much

everywhere so almost everyone if you're doing security stuff you're going to run into protecting windows um so one of the issues with it is that it's built for compatibility so a lot of the things that i'm going to talk about are not turned on by default the microsoft isn't going to help you unless you buy a certain license which we'll talk about also the other thing is the general this morning was talking about protecting 1.4 million endpoints right so combination of whatever it is linux windows all that kind of stuff most organizations are not going to have 1.4 million endpoints right so my sister works at a law office in camden they have five machines all

windows computers um they have no idea what lss is and none of the things that i'm going to talk about are turned on in their environment i can almost guarantee you so if you do consulting work or you work for a mssp or you're in an organization and you get into doing um security architecture lsas is one of the most important things that you need to know and um think about how it is that you can detect activities that happen against it and then how you can turn on some preventive controls so windows you know apple apple is a hardware company and they can say all right we're not going to support this anymore and it's gone

microsoft almost never does that so a lot of this technology is actually remnants of you know nt351 all the way to you know whatever it is now 27 years later so lsas itself it's part of the security authority and the lss process mostly runs in user mode so i'm gonna i'm not gonna read all these things but lsas can be thought of as basically a treasure chest that's running on your endpoint and let me be specific that i'm going to talk about this from an endpoint perspective meaning a workstation perspective and not a domain controller so um on your input on your windows endpoint your machine at home if you run windows lsas has access

to all of these authentication providers um so they're going to have you know care bros tickets are going to be in their hashes passwords if you if you haven't turned off w digest all that stuff is going to be in there um that thing is the treasure chest for credentials that is the thing where someone gets access to your machine if they want to get credentials to do something like lateral movement lsas is the thing that they want to hit so at a certain point in the kill chain um one of the things that you might want to do is grab credentials and and then pivot using a credential that you've gotten from your from a

machine so in a domain environment an lsas attack you want somebody to have logged in as a domain admin to a workstation you dump lsas memory run some kind of tool get credentials and then make a lateral move so i i have to anytime you talk about windows especially having to do with authentication you have to mention uh and i probably don't know how to pronounce his last name because i'm southern and i think it's cyphus so steve cyphus works for win for microsoft and has for a long time um on twitter sometimes someone will ask him a question like how does care bros work and he will go on a 30 to 40 tweet thread about what is the history

of why microsoft picked care bros for authentication and go back to how did things get included in windows 2000 all that kind of stuff so if you're on twitter which i strongly recommend that you are if you were doing security stuff steve cyphus is someone to follow so why is it that we care about lsas in addition to the fact that that it stores credentials there is a french gentleman who wrote a tool several years ago in order to learn c was his stated reason so he learned a lot about uh win32 apis the c language all that kind of stuff and wrote me me cats so if you're in the sands world i guarantee

you that you've run across this in 504 um mimikatz has been around a long time um mimikatz has the capability of reading lss dump files so uh is there anyone in here who does not know that you can dump memory from processes is that pretty a pretty normal thing for y'all to get or is there anyone that's never heard of that concept okay all right so even if you don't feel comfortable uh admitting it i didn't know about that you know 10 years ago or whatever um so me me cats can read in those dump files so this specific attack technique that we're talking about is use some thing and there i'll give a couple of examples

dump the memory of the elsas process and reading it read it into mimikats in order to get credentials so and then there's the other way to do it which is basically to get direct process access to lsas but that hopefully would get called faster so mimikats as i said volatility which is used for forensics purposes normally but you could also use it in this case to get credentials people there's people are constantly writing new iterations of tools to do these attacks to get around signature based and uh behavioral based detections um there's a lot of them that are written in net right now um there's some powershell stuff that you can do in order to dump it uh it's

extremely easy if you have administrative rights to a computer to a windows computer you go into task manager and uh you can create a process dump an else with lsas for lsas you can also run uh cis internals prop dump drop the the ram out uh sorry not the ram the memory from the process uh there's also some fairly unique things that came out a few years ago where you can there's a dll that's com services dll where you can use run dll run this com services that makes a win32 api call to minidump which will allow you to dump ram i can tell you that there's a lot of av tools that still won't catch that

but the general principle is you need to get the live memory out of the lss process that's where the stuff is going to be that you want if you want to steal their credentials i thought that i would also quickly mention the concept of a malicious password filter so this is a domain attack and it has a different miter it's miter 155602 which is specifically just for a malicious password filter so in a active directory domain you can have a password filter which is a dll that gets loaded that will check to see whether or not your passwords that your users are changing are on some kind of bad list so as an example we would put gamecocks

as something that somebody should never be able to put as their password because it's too easy to figure out that somebody that goes to usc would have gamecocks is the password we also might put uh tigers or you know whatever wildcats since we got beaten by kentucky horribly last last week but in general if you can create a malicious password filter they would basically write everything off somewhere else so i changed my password to go clemson it writes it off to a file somewhere um that would be used for stealth uh you know a ransomware attacker wouldn't use a malicious password filter somebody that wants to stay on the net that by design would stay on the network

a long time would use something like that all right so this is the most interesting current one to me in windows 7 there's a new global flag that was added that's called silent process exit so when a process in windows exits there's a new flag that can be hooked to do three a choice of three different things one of them is it can be used to launch a process it can do a mini dump or it can pop up some kind of notification so it seems like the first people that were investigating this we're using it for persistence so you get your evil code on the machine you process kill the process and then for persistence purposes

at that process is death a new process gets started so that's the launch monitor process thing in our case what you would do is you would set lsas to mini dump to a file on process exit so the reason that you would want to do something like that primarily is to get get around detection um because it's not your process isn't calling anything into lsas to cause it to dump memory it's doing it itself so in that scenario you would want to look for lss dump files that seems to be the the current quote-unquote cool one and there's a company called deep instinct some researchers deep instinct who have an excellent um medium article i believe or maybe it's

on their website so if you just look up deep instinct lcs dump they talk about using silent process exit for an attack all right so remember at the beginning i said microsoft doesn't do any of this stuff for you they have written a lot of stuff into the os but none of them are turned on until you start messing with it with the exception of the w digest thing so w digest there we don't need to get into too much detail but it's a it's an older way of doing things everything's plain text and memory all that kind of stuff um if you use things like the cis um secure configuration baselines or stigs or whatever they're going to be things

in there about debug rights that kind of stuff is for defense in depth and to me one of the interesting things is why would why does the cis benchmark say that only administrators should be in d we should have debug rights when the vast majority of the time you don't necessarily need that either somebody that has admin rights is probably going to be able to do privileged escalation a system anyway so don't even let administrators do debug however you should obviously test that in your environment this gets back to my sister's lawyer's office also they have no idea what run as ppl is and there's a lot of people that don't know this even windows admins

and your windows admin system administrator help desk people that that is actually the first security step in all of this windows stuff a competent windows administrator is worth tons of people on our side doing detection right because if that's done properly then the event the investment is there then we in the sock don't have to do as much theoretically um but half of them that i've talked to don't know what run as ppo is it was introduced in vista and um it's run as protected process light there's you can look up the msdn article about the what exactly the different protection levels are but one of them specifically has to do with lsas and there's a registry key

that is not on by default that you turn on so all it is is run as ppl1 and what that does is it basically stops certain dlls from being able to load into um lsas stopping process injection however if you do something like run duo and you have old dlls or any kind of third-party authentication that you hook in windows it has to be windows qualified and if you try and do old stuff it'll bomb so it has it has to be tested uh credential guard was something that was introduced in windows 10 which is primarily well only works with the main accounts um it is one of these things that microsoft has come out with in the last

six or seven years that use virtualization in order to protect something so there's application guard device guard credential guard some other kind of guard i'm sure credential guard abstracts out lsas into an isolated container where only certain activities can happen and you can't directly read it however there is a mimikatz driver that can do some of this kind of stuff so you you have to you have to be really careful and all of these controls are additive and you have to test them in in your environment and all that kind of stuff so the main thing that i want you all to do is to know that this stuff is the is there because there's a lot of people

that don't they just have no idea or if you come across this in something like the secure configuration baseline documents for something this is why you don't want processes to be able to inject into lsas because of the stuff that's stored in lsat's memory there's another thing which gets to what i was talking about microsoft will do more for you if you pay right they're a services company in addition to being a software company so in the e3 licensing e3 a3 g3 and above for m365 you get some additional what are called attack surface reduction rules asr one of them is don't let bad stuff happen to lsas i don't remember what the exact name is but that that's basically

what it comes down to only allow certain microsoft vetted uh dlls process to connect to lsas obviously this has to be tested which is a repeated thing but if you don't pay you get no management tools in order to test all this stuff so you can turn it on in audit mode and it'll write out and say ubc.dll connected to lsas duo dot blah blah blah dll connected to lsas and then you can turn it on and it'll block it if it doesn't meet microsoft's specification you know has to be signed go through the driver quality thing with microsoft all that kind of stuff but if you don't pay um you have to do it through group

policy in the registry and it's not pretty okay that there's a big debate amongst people that do microsoft stuff about when is it they're going to start taking these some of these security technologies and moving them down into the lower licensing levels and i think it's unfortunate but it's because they can make money off of them partially because they're a services company all right so for detection purposes if you run mimikats and you haven't turned off defender or even you know you're using symantec or whatever it's probably gonna get caught um so don't get in the habit of turning off av you know it's a the layered defense thing all that kind of stuff um if you're not familiar with sysmon

you need to know what it is even if you don't use it because the concept is becoming like the mitre framework if i talk to somebody i expect for them to know what cismon is if they're a defender um because it's becoming standard uh mark russonovich is they're working on a version for linux which maybe is going to replace some of the stuff in audit d and all that kind of stuff um so microsoft is putting since they bought cis internals whenever it was um they're putting a lot of investment into this kind of stuff and actually um if you have the good fortune of running e5 or a5 or g5 or whatever and you run

defender for endpoint the what used to be called defender atp all of that telemetry is coming kind of from sysmon so the stuff that you're going to be looking for then is event id 10 in sysmon and but we don't have enough time to get into all the details about that but basically you want to look for something injected injecting itself into lsas to do something if you have the money to run edr that's a good way to do detections obviously but things have to be tweaked one of the things that i've been talking about is how you have to test things and come back to it so i would be remiss if i didn't

mention detection lab so there's a gentleman named chris long whose twitter handle is centurion who has a set of vms that can be created with vague vagrant and packer and i think there's terraform for doing it in aws and maybe some azure stuff it sets up a domain sets up splunk sysmon a couple of clients and you can test all the stuff comes with atomic red team so if you're there are red canary people here i know today so atomic red team is an awesome way to test this kind of stuff one of the things also is to start start thinking about maturity and how do you how do you move from i don't know anything about this stuff

at all to moving up a maturity scale or whatever you want to talk about where what you're really doing is determining what is normal for my environment and what isn't normal and one of the things that that has to be based off of is iteration so these techniques change over time and none none of this stuff unfortunately to go back to the debug rights run as ppo all that those are never going to go away probably however new techniques come out new tools get turned on from microsoft's perspective so if it i'm not a grc person at all but if you have grc kind of people they need to put this in the rotation of stuff we need to

come back every year and run atomic red team and see if there's new tests for dumping lss something like that um but one of my pet peeves is the thought that these kinds of things can be like a light switch you know like where else is protected now which you can't do that with basically anything all of these have to go into iterations which also allows you to move toward underlying principles which is one of the things that the mitre attack framework helps helps with so the underlying principle here is that lsas memory is going to get dumped and at a certain point does it matter what technique somebody uses in order to dump lsas memory

or is it the fact that they're dumping the memory as the important thing right so people write i don't know there's one called sharp dumper i think which is written in c sharp so you could you can recompile it every you could recompile it every day new hash etc um so something that's looking for the hash of me me cats or whatever won't catch it however if it's going to dump it has to talk to lsas has to get the memory out of there and the memory has to go somewhere so that's what i'm talking about underlying principles so the registry key to do the silent process exit still has to dump the memory um

sharp dumper still has to dump memory when 32 api all that kind of stuff and you know why people are trying to get this is because they want to do lateral movement so you also want to use preventive controls like lapse if you're not familiar with that to randomize the local admin passwords on all your machines jason fawson who's the sans instructor or sans fellow or whatever level he's at um has some awesome powershell scripts to do that also however there was a discussion i believe on tuesday on twitter where florian roth who is the one of the inventors of sigma which you all should also know about is just because you're going to detect the

method doesn't mean that you have to stop detecting tools so detecting netcat by hash is much faster than detecting an arbitrary port that gets created like how in the world are you going to figure out what created an arbitrary port unless you're doing os sec or something and looking for new ports listening and all that kind of stuff so unfortunately even if you're getting toward detecting the method detecting tools is faster and a lot of these things are known so your our jobs unfortunately are not easy and as i said there's no light switch that you can switch it's a process an iterative process so i know that that was a lot because we had to get all this done in a very short

period of time so i wanted to give you quite a number of twitter accounts that you can follow um clement labrow has written the best thing that i've ever seen about protected process light where he goes into how can you actually get around it in user mode without having admin rights there's a bunch of cool stuff the red canary threat detection report will go into you know where is this and the dvi are where is this technique you know in the top 10 all that kind of unfortunate you know people need credentials so even if this is not in the top 10 it's never going away and it gets abused all the time all right so my contact stuff's down at

the bottom fr columba on twitter and infosec episeicy.org so i have two minutes a minute something like that um i will ask a question and then y'all can ask me maybe one question and uh captain marvel here will take the um take this to whoever can answer this question so uh when what version of windows was protected process light introduced yes yep vista all right um so that's a alpha adapter i think a wi-fi adapter would be cool all right so does anyone have any questions in the 30 seconds or so that i have i will say it doesn't appear that there are any usc students in here but if there are please talk to me because

our sock is run by students and if i don't know you and you go to usc i would like to meet you so i'll be outside