AhnLab SEcurity intelligence Center (ASEC) has posted the blog “Account Credentials Theft in Domain Environments Detected by EDR”  that discusses attackers stealing account credentials after dominating the system in an Active Directory environment. Among the account credential theft method, it will cover in detail the various techniques of dumping NT Hash (a hash used for NTLM authentication protocol) saved in the LSASS process memory.
The account credential is saved in the LSASS process memory. The attacker dumps the process memory and can extract the account credentials from here. As a result, the act of dumping LSASS process memory is seen as suspicious behavior by security products. Hacking tools like Mimikatz which uses functions like this become the major detection target for security products.
The attackers are also aware of this, so instead of using hacking tools directly, they tend to use multiple normal tools maliciously to dump the LSASS process memory. Previously, the most common method of using Sysinternals’ ProcDump was discussed as an example in the blog. However, various techniques such as Process Explorer, Task Manager, etc. can be used to circumvent the security program’s detection.
It is difficult to completely block all of these attempts with just the AntiVirus product, as the methods and tools can be used for normal use and purposes. AhnLab EDR (Endpoint Detection and Response) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on Korea’s only self-behavior-based engine. AhnLab EDR continuously collects information related to suspicious behaviors to allow the user to precisely perceive threats from a detection, analysis, and response perspective and identify causes, respond with appropriate measures, and establish processes to prevent threat recurrence.
- LSASS Process
NTLM authentication is an authentication method that is used when a local user logs in, and is implemented at the “msv1_0.dll”. “Msv1_0.dll” is loaded into the LSASS otherwise the lsass.exe process, where the NT Hash for the password used to login and the NT Hash saved in the SAM (Security Accounts Manager) is compared for authentication. Therefore, NT Hash also exists inside the lsass.exe process memory.
Because it is a hash value created through a hash algorithm, the attacker cannot obtain the password in plain text using NT Hash. Naturally, the attacker can still use multiple Dictionary Attack tools to obtain the password in plain text, and can directly obtain passwords in plain text by using features from Mimikatz.
Even if the password cannot be obtained in plain text, if the attacker can find the NT Hash of an account existing on another system, the attacker can log into the system using the stolen account’s NT Hash. This is called a Pass the Hash attack. Since it is possible to attack the NTLM protocol using this method, it is not a problem for “Lateral Movement” even if the attacker does not know the password in plain text.
Mimikatz is a program with features to extract account credential in a Windows OS environment. Mimikatz has the feature to use basic commands to dump the LSASS process memory then show the extracted NT Hash. Mimikatz has the feature to use basic commands to dump the LSASS process memory and then show the extracted NT Hash.
Naturally, because it is used for so many attacks, most security programs detect this as a major threat. As a result, attackers use various normal tools to dump the LSASS process memory and additional cases will be further discussed below.
Mimikatz’s “sekurlsa::logonpasswords” command is responsible for the entire process of directly dumping the LSASS process memory, extracting the NT Hash from the dumped information, and show the final output. However, if the “sekurlsa::minidump” command is used together, the account credential can be extracted without directly accessing the LSASS process by reading the memory dump file saved in the system. Therefore, the attacker dumps the LSASS process memory using normal tools, steals it, and extracts the NT Hash using the “sekurlsa::minidump” command from their environment. This allows them to find the account credentials without installing Mimikatz.
Sysinternals’ ProcDump is a command line tool that supports the feature of dumping specific process memories. Sysinternals currently belongs to Microsoft. Therefore, the ProcDump tool is a normal file signed with Microsoft’s certificate just like other similar files under Windows OS.
Just as it has been covered numerous times by ASEC Blogs in the past, ProcDump is a tool regularly used by attackers to dump LSASS process memory. The following is an example screen of AhnLab EDR product showing the process of account credential theft. It shows the process of dumping using ProcDump and extracting the memory dump file created using Mimikatz to steal account credentials.
AhnLab EDR uses the normal program of Sysinternals’ ProcDump to detect the action of LSASS process memory dump as a threat. Allowing the administrator to be aware, identify causes, and respond with appropriate measures.
- Process Explorer
Process Explorer is also a tool developed by Sysinternals. As its name suggests, it shows the list of running processes, lookup information, control processes, and provides other various features. One thing to note is that among the features supported by Process Explorer, it also includes the feature of dumping specific process memories. As a result, it also allows LSASS process memory to be dumped allowing attackers to abuse Process Explorer to extract account credentials.
AhnLab EDR uses the normal program of Sysinternals’ Process Explorer to detect the action of LSASS process memory dump as a threat. Allowing the administrator to be aware, identify causes, and respond with appropriate measures.
- Task Manager
Although ProcDump and Process Explorer are both normal files signed with Microsoft’s certificate, they are not tools typically provided by the Windows OS. If the tools installed by default in the Windows OS environment are used, extraction of account credentials should be possible without any suspicious activity such as installing additional tools externally.
Windows OS supports the Task Manager (taskmgr.exe) tool by default. Like Process Explorer, it provides features such as looking up and controlling running processes. It also provides installed services or startup programs, user information, and various other features. One thing to note about Task Manager is it also provides the feature to create a memory dump of running processes. For example, if a LSASS process memory dump is created like below a dump file with the name “lsass.DMP” is created in the “TEMP%” path.
AhnLab EDR uses the Task Manager provided by default from the Windows OS to detect the dumping LSASS process memory as a threat, allowing the administrator to be aware, identify causes, and respond with appropriate measures.
“comsvcs.dll” is a DLL file in charge of COM+ service features, and is one of the system files installed by default in the Windows environment. One thing to note about “comsvcs.dll” is it exports the “MiniDump” function which supports the feature of dumping specific process memory dump. Therefore, if this is used it allows the LSASS process memory dump.
“Comsvcs.dll” is a DLL file so the rundll32.exe process can be typically used in order to execute. Additionally, to dump LSASS process memory a debug privilege called SeDebugPrivilege is needed. However, the privilege can easily be activated when executing using administrator privilege.
AhnLab EDR uses the“comsvcs.dll” provided by default from the Windows OS to detect the memory dumps as a threat, allowing the administrator to be aware, identify causes, and respond with appropriate measures.
Attackers who target systems belonging to a specific network are likely looking to take over the entire network, not just the target system. In order to do so, ultimately there needs to be a lateral movement of the management server and major systems. Account credential is the necessary information needed for such lateral movement attacks.
Attackers can typically use information that is poorly managed or extract account credentials using hacking tools like Mimikatz. The most widely used method of stealing account credentials is to dump LSASS process memory and extract NT Hash from it. However, using hacking tools to dump LSASS process memory can easily be detected by security tools. Because of this, attackers abuse normal tools to dump LSASS process memories instead.
If normal tools are used like this to circumvent the detection of security products, there is a limit to detecting and blocking such activities with just an AntiVirus product. AhnLab EDR detects attack techniques of stealing account credentials to eventually dominate the entire domain from attackers who have dominated a specific system. Allowing the administrator to be aware, identify causes, and respond with appropriate measures.
More details about AhnLab EDR which actively tracks threats and provides endpoint visibility through behavior-based detection and analysis can be found here on the AhnLab page.