LSASS.DMP... Attacker or Admin?

When analysing a system for evidence of attacker activity, the presence of a file named LSASS.DMP should pique your interest as an investigator, as it can be an indication of credential theft and possible privilege escalation. However, if there is no other evidence of compromise on the system, or the creation timestamp of LSASS.DMP is outside of your intrusion timeline, you may be left questioning whether the dump relates to this breach, a historical breach, a red team or no breach at all.

In this blog I will share an analysis technique which recently helped me ascertain with high confidence that an LSASS.DMP file was generated by an administrator and was not related to the intrusion we were investigating.

What is LSASS.DMP?

The Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system, such as verifying users during users logons and password changes. 

LSASS.DMP is a dump file of the LSASS process. Attackers can dump LSASS to a dump file using  tools such as ProcDump (https://docs.microsoft.com/en-us/sysinternals/downloads/procdump). The attacker can then extract passwords and password hashes from the process dump offline using Mimikatz.

Whilst an attacker can run Mimikatz directly on a system, collecting a LSASS process dump may be a preferable technique as ProcDump is not considered malware by most antivirus tools, so is less likely to generate a security alert.

Admin or Attacker ?

When an administrator is generating a process dump, it is often at the request of a vendor or application team. The purpose of these dumps are to capture an error or unwanted behavior for troubleshooting. The vendor may request that ProcDump is executed with specific arguments, in order to increase the likelihood of capturing the unwanted behavior. For example, I have seen the following procdump arguments used by an administrator to generate a process dump of LSASS when the process utilised more than 85% CPU for more than 5 seconds.
procdump -c 85 -s 5 -n 3 lsass
Thankfully, ProcDump does us a favour as investigators and includes a comment in the process dump detailing the non-standard arguments used to generate the dump. These comments can be read by opening the dump file in WinDbg. Once loaded, the Command Window will display the comment as follows:
Loading Dump File [C:\Users\barna\AppData\Local\Temp\lsass.DMP]

Comment: '

*** procdump -c 85 -s 5 -n 3 lsass

*** Process exceeded 85% CPU (system scale) for 5 seconds. Value: 99%. 

Hottest Thread: 6868 (0x1ad4).'

User Mini Dump File: Only registers, stack and portions of memory are available.
Not only is it highly unlikely that an attacker would execute procdump with these arguments, the resulting process dump does not contain complete application data. In my testing, this resulted in errors when attempting to extract credentials using Mimikatz.

When an attacker is generating a process dump of lsass, they want to acquire all of the process application data. This is where the credentials are stored, and this is the default type of dump generated by procdump with no additional arguments.

When you open this kind of process dump in WinDbg,  the Command Window will display the following message:
Loading Dump File [C:\Users\barna\AppData\Local\Temp\lsass.DMP]
User Mini Dump File with Full Memory: Only application data is available
During testing I was able to successfully extract credentials from this type of process dump using Mimikatz, as expected. It is important to note that unlike the first dump we examined, which is highly likely to be related to administrative activity, an LSASS dump with full application data and no comment could be related to either administrator or attacker activity. Further analysis of the system would be required to provide context as to why the dump was generated.

Conclusion

WinDbg enables an investigator to easily analyse the comments embedded in LSASS process dumps, as well as whether the process dump contains 'full' or 'portions' of application data. This information can help to provide context to why the process dump was generated. In some scenarios, this information may be sufficient to conclude with a high level of confidence that the dump was not related to attacker activity.

Comments

  1. Pro Crack Software5 November 2021 at 15:50

    Thanks for sharing the crack but you need to update this version because here new version Available below;

    https://licensedinfo.com/addictive-trigger-crack/

    ReplyDelete
  2. hudaib8 February 2022 at 07:03

    I realy like you post. It is a nice post. Thanks for Sharing
    bandlab-cakewalk-crack
    PolyBoard Crac
    Babylon Pro NG Crack
    Maxon CINEMA 4D Studio Crack
    Leawo Blu-ray Ripper Crack
    Redshift Render Crack

    ReplyDelete
  3. zanda25 February 2022 at 06:16

    nice blog thanks for sharing

    BandLab Cakewalk Crack

    CLIP STUDIO PAINT EX Crack

    WinZip Pro Crack

    Netflix Premium Crack

    Nebulosity Crack

    ReplyDelete
  4. vashtipaci4 March 2022 at 12:08

    Las Vegas Casinos 2021 | JTHub
    Find the best Vegas casino online. 원주 출장샵 We 충청북도 출장안마 compare 의왕 출장안마 the best casinos in Las Vegas, 인천광역 출장마사지 Check out 김해 출장마사지 our Las Vegas casinos to find out more.

    ReplyDelete
  5. Unknown24 October 2022 at 00:08

    가평출장샵
    경기도출장샵
    경기도출장샵
    경남출장샵
    경기도출장샵
    김포출장샵
    수원출장샵

    ReplyDelete
  6. BEGlobal(US)LLC17 November 2022 at 01:12

    Thanks for sharing. BEglobalus is one of leading Web Development Company in Los Angeles. Our knowledgeable team is passionate about design patterns, simple user interfaces, and efficient customer engagement. We have years of experience.

    ReplyDelete
  7. James Gibson2 April 2024 at 06:14

    Nice Blog. Thanks for sharing with us. Keep Sharing.

    Do you want to Buy High Brightness IR Touch Monitors Online?

    Buy High Brightness IR Touch Monitors

    ReplyDelete

Post a Comment

Popular posts from this blog

Windows PowerShell Remoting: Host Based Investigation and Containment Techniques

Image
In this blog post I will detail how to perform various incident response techniques using native Windows PowerShell functionality. Each method I explain will be able to be executed remotely to allow for efficient investigation and containment of an individual host . For PowerShell response on mass, I recommend familiarising yourself with the Kansa framework . If you follow my github, you may also notice that many of the techniques listed below are built into my remote powershell triage tool, B2Response , which allows you to perform these actions with ease. Please give it a go and provide feedback! The techniques which I will cover include: 1) Issuing remote command/shell 2) Retrieving/downloading files 3) Checking for running processes 4) Query registry keys 5) PCAP collection 6) Blocking a domain 7) Blocking an IP 8) Quarantining a host Prerequisites All of the techniques listed below utilise PowerShell to remotely manage computers within your IT environment. In order
Read more

Touch Screen Lexicon Forensics (TextHarvester/WaitList.dat)

Image
By Barnaby Skeggs Preamble Since the release of Windows 8, and the ‘Metro’ interface, touch screen input has been implemented in a rapidly rising number of Windows devices including Microsoft Surface Pro/Book, 2-in-1s, convertible laptops and tablets. Microsoft has catered for this trend, implementing conversion between touch/pen handwriting to computer text in software such as OneNote. In this paper I will detail my research into the forensic artefact ‘Waitlist.dat’, which I believe to be associated with this functionality. I identified the ‘WaitList.dat’ artefact while investigating a Windows 8.1 PC for the presence of a known email. I was provided with a copy of this email, and part of the investigation involved identifying whether or not this email ever existed on the custodian’s computer. After processing the .PST and .OST mailbox archives on the PC, I did not identify the existence of the email. I then processed shadow copies, carved and processed for various mailbox stores
Read more