Local Security Authority
Subsystem Service process (lsass.exe) is responsible for enforcing the security
policy on the system and handling password operations. Therefore, it contains user
passwords. One of the things that
attackers do when they have gained access to a system is to inject code into
that process to obtain clear text passwords, from the attacker’s perspective
this is great as they won’t have to consume precious time trying to attack
password hashes, as opposed as accessing password hashes from the SAM Windows registry
hive.
Sysmon is a useful and free tool created by Mark Russinovich
y Thomas Garnier from Microsoft that can
audit processes among many other things. One of the things that can be audited
on the most recent version is Process Access, which can detect any tools that
have accessed lsass process and that could have potentially dumped credentials.
By default process access audit is disabled, so it is required to tune Sysmon
to audit this event, which can be done with the following xml configuration
file.
<Sysmon schemaversion="3.2">
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Log all
drivers except if the signature -->
<!--
contains Microsoft or Windows -->
<ProcessAccess onmatch="include">
<TargetImage
condition="contains">lsass.exe</TargetImage>
</ProcessAccess>
<!-- Enable
Network Connections -->
<NetworkConnect onmatch="exclude"/>
</EventFiltering>
</Sysmon>
Next we update sysmon configuration by using –c flag and
passing the xml file as parameter.
To test the configuration, I used
mimikatz, which is a (in)famous tool used to get clear text credentials from
lsass process. I set up a meterpreter listener and created a reverse
meterpreter tcp executable called lolm.exe, which I executed on the test
Windows computer. As expected, I was able to load mimimkatz plugin and dump
clear text credentials using kerberos command.
Sysmon was able to successfully
log the event, it traced time and date, full path of the meterpreter executable
and the call trace. It is important to notice that Sysmon will not only detect Mimikatz, but any tool that access lsass process, therefore other tools used to dump
credentials from lsass would be detected as well.
In the following articles we will see how we can tune sysmon configuration to detect other attacks.
