Part 2. Windows security – what is LSASS dump. How to protect against it?

Dawid Farbaniec | | Education

Bypassing LSA Protection (RunAsPPL) with Mimikatz

Mimikatz is a tool by Benjamin Delpy for extracting Windows credentials in various ways.

Important note: It is possible that running Mimikatz on Windows 10 will end in an error:

kuhl_m_sekurlsa_acquireLSA ; Key import

It may be helpful to use an older version, specifically Mimikatz v2.1.1 from here:

https://github.com/gentilkiwi/mimikatz/files/4167347/mimikatz_trunk.zip

To the point: In order to bypass LSA Protection (RunAsPPL), Mimikatz uses the load driver (.sys) command:

!+

and removing process protection with the command:

!processsprotect /process:lsass.exe /remove

Loading the driver allows you to remove process memory protection (Figure 9).

Figure 9. Loading the driver by the Mimikatz tool and removing the protection of the LSASS process.

When the LSASS process is not protected, it is possible to take a memory dump. For simplicity, we will use Process Explorer (Figure 10).

Figure 10. A memory dump of the LSASS process after Mimikatz removes protection.

If the dump file is created, using the commands:

sekurlsa::minidump C:\Users\n\Desktop\lsass.dmp

sekurlsa::logonpasswords

it is possible to read credentials in the form of password hashes (Figure 11).

Figure 11. Authentication data extracted from the memory dump file of the LSASS process.

There may be different credentials in memory depending on the type of account or system settings. An example diagram is shown in Figure 12.

Figure 12. Types of credentials that can be found in Windows memory.

To restore process protection and remove the driver (Figure 13), execute the commands:

!processsprotect /process:lsass.exe

!-

Figure 13. Restoring LSASS process protection and removing the driver in Mimikatz

Breaking the NTLM password hash

The experiment presented here provided a password hash in NTLM format. Someone may ask: Why does Microsoft continue to store credentials in weak formats such as NTLM hashes?

Well, it is often a requirement for so-called backward compatibility. It is not always possible in an organization to disable a particular solution when other processes depend on it.

MITRE ATT&CK recommends disabling or restricting NTLM and switching to Kerberos, which despite vulnerabilities (e.g. Pass the Ticket, Sub-technique T1550.003 – Enterprise | MITRE ATT&CK®) is more secure, or at least current in 2022. NTLM cryptography is obsolete. NTLM protocol password hashes do not contain salts and there is no support for multi-component authentication (NTLM Explained: Definition, Protocols & More | CrowdStrike).

We can verify the speed of NTLM cracking on our hardware by running, for example, the hashcat tool with the command: hashcat -b -m 1000 (Figure 14).

The notebook on which this text is written breaks more than 2 billion NTLM hashes per second. To be precise, this is a value of 2162.7 MH/s. In contrast, the modified hashcat on much more powerful hardware achieved 102.8 GH/s (i.e. more than 100 billion NTLM hashes per second). This example perfectly illustrates the weakness of NTLM security.

Figure 14. Example test of NTLM hash cracking performance using hashcat.

How to identify what password is behind an NTLM hash? You can use a tool to crack them, such as hashcat or John the Ripper. For example, let’s use hashcat from the address:

https://hashcat.net/hashcat/

The hash of the NTLM password is as follows:

fd32194cec3fe17dd29e38cf29b19065

After downloading the hashcat tool, run the Command Prompt (cmd.exe) and navigate to the directory with the program using:

cd C:\Users\iamda\Desktop\hashcat-6.2.5

We can invoke password hash breaking with the command:

hashcat.exe -m 1000 -a 3 hash.txt

The -m parameter specifies the type of hash (1000 is NTLM). A full list of hash types can be found here:

https://hashcat.net/wiki/doku.php?id=example_hashes

The -a parameter specifies the method of attack. A value of three (3) is a force attack. There are still, among others, dictionary, hybrid or force mask attacks.

And hash.txt is the path to the file containing the hash to be cracked.

The example password is simple and took 26 seconds to crack (Figure 15).

Figure 15. Breaking an NTLM password hash using the hashcat tool.

In reality, stronger passwords can often be found. For this reason, it is worth mentioning the force attack mode, but with the use of a mask in the hashcat tool. The example on the hashcat program page shows the password Julia1984. A force attack for this type of password requires 13.537.086.546.263.552 (62^9) combinations, which with a cracking speed of 100 M/s requires a time of 4 years. In contrast, a mask attack in the form of first name + year of birth reduces the number of combinations to 237.627.520.000 and reduces the cracking time to 40 minutes!

Someone may ask: What passwords can realistically be cracked in a reasonable amount of time? Well, the example above proves that the cracking time is not always dependent on the complexity of the password (variety of characters). A big role is played by the method of attack. A brute force attack using a mask will often be more effective than a simple brute force attack.

A rather extreme but real example would be when the attacker generates a password dictionary from words found, for example, on the victim’s blog. Even a difficult password (considering a force attack) such as some quote like: fas_est_et_ab_hoste_doceri!1999 will be ineffective if it is in the generated password dictionary.

Bypassing LSA Protection (RunAsPPL) without using a driver (.sys).

Protected Process Light (PPL), in simple terms, means that a protected process can only be opened (e.g. with the OpenProcess function from WinAPI) by a process that is equal or higher in the hierarchy. The Mimikatz tool bypasses this protection by going into kernel mode, where the code has a higher level of privilege.

Another way is to use the exploit described on the Project Zero blog by James Forshaw in 2018. The difference from the method with driver loading is huge, as the exploit works in user mode.

Example implementations include:

  • https://github.com/itm4n/PPLdump
  • https://github.com/helpsystems/nanodump

Memory dump of LSASS process using nanodump

If you don’t want to use the premade executable files of the nanodump tool, then you can build the code yourself with the help of Microsoft Visual Studio.

To do this, run the x64 Native Tools Command Prompt for VS 2022 console (Figure 16) or its equivalent.

We can access the folder with the source code with the command:

cd C:\Users\n\Desktop\nanodump-main

The code build, on the other hand, is invoked with the command:

nmake -f Makefile.msvc

After a while, we will get ready executable files.

Figure 16. Building the code of the nanodump tool using the Visual Studio console.

To call the nanodump tool, navigate to the /dist folder with the command:

cd C:\Users\n\Desktop\nanodump-main\dist

A memory dump of the PPL-protected LSASS process (Figure 17) can be performed with the command:

nanodump_ppl.x64.exe –write C:\Users\n\Desktop\nanodump-main\dist\lsass2.dmp

Figure 17. A snapshot of an LSASS process protected by PPL using nanodump

The memory dump signature of the LSASS process at the beginning of the dump file (Figure 10) is a clear and easily noticeable Indicator of Compromise (IoC).

Figure 18. The correct signature of the LSASS process memory dump file.

For this reason, the nanodump tool creates a file with an incorrect signature (Figure 19).

Figure 19. Incorrect signature of LSASS process memory dump file (random values).

When the LSASS memory dump is taken outside the attacked environment (e.g., by the Command&Control server), you can repair the signature (Figure 20) with the command:

restore_signature.exe C:\Users\n\Desktop\nanodump-main\dist\lsass2.dmp

To then process the dump file with the Mimikatz program (or pypykatz alternative).

Figure 20. Repairing the signature of the memory dump file of the LSASS process

Credential Guard security

Virtualization-based isolation of secret data from the operating system (Figure 21) is available for the Enterprise version, which is Windows 10 Enterprise and later, and the Server version, which is Windows Server 2016 and later.

Figure 21. Credential Guard security (general diagram)

Credential Guard security is designed to protect password hashes (NTLM hashes), Kerberos tickets and domain credentials. One way to enable Credential Guard is to use the Local Group Policy Editor (Figure 22). Forcing the processing of new group settings can be achieved with the command:

gpupdate /force

Figure 22. Credential Guard security in the Local Group Policy Editor

To check whether Credential Guard security has been successfully enabled and is working, you can use the msinfo32.exe application, which displays various information about the system (Figure 23).

Figure 23. Credential Guard security information in the System Information tool.

Protection against LSASS memory dump and credential theft

Someone may ask: Does enabled LSA Protection (RunAsPPL) and Credential Guard protect against credential theft?

To the full extent it does not protect. but mitigates the threat too. New protections and patches are being developed, but offensive tools are also being adapted to defeat them. As an example, there is a method that was described in May 2022 that allows bypassing Credential Guard by making modifications to two global variables in the LSASS process. 

Table of Contents

Matthew Hickey, Jennifer Arcuri, Warsztat hakera. Testy penetracyjne i inne techniki wykrywania podatności, Gliwice 2022

OS Credential Dumping: LSASS Memory, Sub-technique T1003.001 – Enterprise | MITRE ATT&CK® | https://attack.mitre.org/techniques/T1003/001/

Configuring Additional LSA Protection | Microsoft Docs | https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

Critical System Services – Win32 apps | Microsoft Docs | https://docs.microsoft.com/en-us/windows/win32/rstmgr/critical-system-services

Do You Really Know About LSA Protection (RunAsPPL)? | itm4n’s blog | https://itm4n.github.io/lsass-runasppl/

Bypassing LSA Protection in Userland – Sec Team Blog (scrt.ch) | https://blog.scrt.ch/2021/04/22/bypassing-lsa-protection-in-userland/

Protect derived domain credentials with Windows Defender Credential Guard (Windows) – Windows security | Microsoft Docs | https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard

Revisiting a Credential Guard Bypass | itm4n’s blog | https://itm4n.github.io/credential-guard-bypass/

Pass The Hash – Defense/Offense/Fix | https://blog.zsec.uk/path2da-pt3/

Domain vs workgroup accounts in Windows 10 – Infosec Resources | https://resources.infosecinstitute.com/topic/domain-vs-workgroup-accounts-in-windows-10/

WDigest Authentication must be disabled. | https://www.stigviewer.com/stig/windows_server_20122012_r2_member_server/2020-06-16/finding/V-72753

The many lives of BlackCat ransomware – Microsoft Security Blog | https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/

Memory usage considerations in AD DS performance tuning | Microsoft Docs | https://docs.microsoft.com/en-us/windows-server/administration/performance-tuning/role/active-directory-server/memory-usage-considerations

Use Alternate Authentication Material: Pass the Ticket, Sub-technique T1550.003 – Enterprise | MITRE ATT&CK® | https://attack.mitre.org/techniques/T1550/003/

hashcat na Twitterze: „hand-tuned hashcat 6.0.0 beta and 2080Ti (stock clocks) breaks NTLM cracking speed mark of 100GH/s on a single compute device https://t.co/aVRMpbap4H” / Twitter | https://twitter.com/hashcat/status/1095807014079512579

NTLM Explained: Definition, Protocols & More | CrowdStrike | https://www.crowdstrike.com/cybersecurity-101/ntlm-windows-new-technology-lan-manager/

Author: Dawid Farbaniec