lunes, 17 de julio de 2017

Detecting lsass Acess with Sysmon Process Access



Local Security Authority Subsystem Service process (lsass.exe) is responsible for enforcing the security policy on the system and handling password operations. Therefore, it contains user passwords.  One of the things that attackers do when they have gained access to a system is to inject code into that process to obtain clear text passwords, from the attacker’s perspective this is great as they won’t have to consume precious time trying to attack password hashes, as opposed as accessing password hashes from the SAM Windows registry hive.

Sysmon is a useful and free tool created by Mark Russinovich y Thomas Garnier  from Microsoft that can audit processes among many other things. One of the things that can be audited on the most recent version is Process Access, which can detect any tools that have accessed lsass process and that could have potentially dumped credentials. By default process access audit is disabled, so it is required to tune Sysmon to audit this event, which can be done with the following xml configuration file.

<Sysmon schemaversion="3.2">
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->

    <ProcessAccess onmatch="include">
                <TargetImage condition="contains">lsass.exe</TargetImage>
    </ProcessAccess>

    <!-- Enable Network Connections -->
    <NetworkConnect onmatch="exclude"/>
  </EventFiltering>
</Sysmon>

Next we update sysmon configuration by using –c flag and passing the xml file as parameter.



To test the configuration, I used mimikatz, which is a (in)famous tool used to get clear text credentials from lsass process. I set up a meterpreter listener and created a reverse meterpreter tcp executable called lolm.exe, which I executed on the test Windows computer. As expected, I was able to load mimimkatz plugin and dump clear text credentials using kerberos command.



Sysmon was able to successfully log the event, it traced time and date, full path of the meterpreter executable and the call trace. It is important to notice that Sysmon will not only detect Mimikatz, but any tool that access lsass process, therefore other tools used to dump credentials from lsass would be detected as well.




In the following articles we will see how we can tune sysmon configuration to detect other attacks.