PE03 - Dumping LSASS when Debug Privilege is Disabled - Bleon Proko

Elsas is probably one of the most touched processes by ATT talkers Elsas manages user authentications in user credentials making GE the key bearer of a Windows system to help with dumping those strategas from elel uh tools like MiMi cards sharp cards B cards were created all of those tools do the same thing they create a memory down of the of the process then they parse that memory down and then they get the credentials from hushes or the credentials what happens though when dumping the Elsas the Elsas memory process is not allowed by a group policy welcome to my presentation my name is Bon and I will be showing you how to bypass a GP that prevents uh

memory D over process and actually D the credentials inside elas first things first why do we d elas uh as we said Elsas contains the crushes and credentials depending on the version of the system or depending on the configurations of the registering of the Windows system uh to those hushes or those credentials uh can be late they unused on attacks like P the hush or in the case of hushes they can we can try to crack them and then use them on on other services to allow well idea that to create a memory Dum of a process a privilege called SB privilege is needed his privilege is managed by a local GP uh which by default only allows local

administ ators to have access to uh to it well doing some testing found an article that said that if you remove privileges the Deb uh privileges or if you just allow them to a specific user group on a company an attacker will not be able to Dum the Elsas process and therefore they will not be able to continue with this with this attack and yes it does work uh when we modify the the GPO to only allow domain administrators access to the uh to the to D the process and when we try to D the process using a nomain administrator local administrator uh user we are not allowed to doers so uh have we lost theoretically yes yes

that GP is a very good way of managing the the Privileges and access toas and also managing canp or memory dumps of processes mind you that GPO does not prevent an attacker from only creating memory TS of el it prevents an attacker from from creating memory dumel every other process so it will prevent an attack from actually creating uh dumps for other processes that might be needed even for Uh custom systems that might have credential stor in them or might have sensitive information stor to them except for in one simple user th installer is one of those unique yet wellknown resources in window that many people know about but not many people look too much

into uh it is an identity built in Windows user that has access to a lot of uh system files and service files it's an owner on a lot of files has full control a lot of of binary files including and not only to Elsas binary file it is uh managed through uh a service called trust install and unofficially by abusing the windows tokens so yes we are allowed and this is by Design This is a feature to get access as a as tret solar and that this user has been abused for a lot of reasons one of which is uh stopping Windows Defender knowing this kind about this the pen of attack then becomes uh modify the service using uh

any tool that you that you like to dump the memory file the memory of Ls I'm using uh svcs but anything can be used nimas can be used sharp sharp PS can be used you you with oh then starting the the service and by uh when the service is started access as trusted installer is given to the binary which is now the the tool that is dumping the the Elsas process is given and this access will actually allow for the L memory D to be to be Crees at this point we can all agree that well trusted this doer knows too much and has too much access and yes we need to take it down we need to remove

it what H though when we try to remove the ACC that just install has or El us look St short nothing much even when trying to event we or you been when we know so as the privilege that trust that the solar has on the the elu binary and the SS process it still is able to create a memory T funny thing is but it doesn't even have privileges on the binary nor it has privileges on the process so it shouldn't be allowed to do it probably has something to do with an with the underlying uh Windows system that is supposed to have access to to so PR is already supposed to have access to to other services

for different reasons that t installer is used but anyway yeah as as you are seeing here that binary uh that memory uh Dum is still created now the previous T we used Authority system or privileges to mod defy the Privileges that uh justic installer has R Elsas in Authority system uh is the identity that runs Elsas funny now system in itself only has read and execute privileges so theoretically it shouldn't have access to or to modify the permissions that uh trans doar has on that for on the binary and the process but it still has so knowing this and knowing that system is the uh the ID that is running El knowing the system is basically the root

of uh windows we try to do the same thing with with system so we try to dump the elify uh when the GPO is app and yes it still does work so uh there are right now we are faced with two methods of uh dumping the memory even though the GPO is apped and it's not supposed to go out so uh what method should the attackers use both will work uh both of them will work on different scenarios for uh if you it you have a local administrator right tools like V that can be used to get access to system and then or another privilege escalation there are many of them can be used to get access as an

authority system and then uh down the Elsas uh memory this will trigger some alerts because privileges will of course um mostly be know and they of course will be tracked by the defend uh by The Defenders on the other hand trusted installer as the user and as a service is one of the most uh monitored resources in Windows even modifying trusted installer as a as a service will trigger for warning and modifying it with something that will dump elas will automatically be by the by the antibirus so and a good way to achieve memory down using tret installer is to do it by to do it by AB using uh window stens in the end as I said there are two

ways to achieve the same thing both of them have their own uh drawbacks and both of them have their own uh benefits so everybody can use uh each uh each one to their benefits the the most important part is that none of them are limited by the GOP key notes first of don't trust any e you know set up by Microsoft they have a long history of not knowing how to manage their uh users privileg is very good uh just because something locked is not we we looked at two methods of achieving uh memory dump even though it was not supposed to be well password dumping is a is an attack is here to stay and you know ding can also be

escalated to other stuff like P traing and uh lastly as I said this technique all of this as a technique is not a bad way to to set up security or or preventing toolic from being used and this does work it just doesn't work very well so uh this top with other uh security measures can be a good way of securing your own infrastructure against those like as as a CS but don't only rely on this technique as a good technique to to prevent those stores again thanks for watching this if you managed to come this St thanks for that and uh if you have any questions just try to contact me in any way or just leave a comment

down below and see you all on besides aens