Challenge Day 1 – Dumping LSASS Memory

Like two years ago, ther’s a new 5 Day challenge from CQURE Academy out.

In this challenge, you will have an opportunity to stand in the hacker’s shoes and try to bypass LSASS protection to dump lsass.exe memory!
You will have an opportunity to learn not only how to extract some information from LSA, but also, you will have to discover what protection has been used and how could it be bypassed. After successfully completing the challenge, think about how to be smarter and protect lsass.exe better.

I did setup a fresh Win10 VM for this challenge.

Later I’ll use mimikatz to solve this challenge and because of that I’ll disable Windows Defender.

First let’s check if I can dump the lsass.exe process by default. I’ll use process explorer for that.

That is possible without any error. So let’s execute the CQChallenge1.exe file and reboot the machine.

After the machine is rebooted I’ll give it a new try:

As we can see, dumping the lsass.exe process is no longer possible.

On the security tab in process explorer we can see a note. Protected: PsProtectedSignerLsa-Light

If we go to strings, we also have no chance to read out the memory. <Error opening process>

According to the following microsoft article, additional LSA protection for a single computer can be enabled in the registry.

RunAsPPL is set to 1.

We need to bypass this protection without doing a reboot of the machine. Let’s play with mimikatz.

lsadump::lsa /inject

This will fail, because the lsass.exe process is still protected.

Mimkatz has a module to remove the protection of a protected process. With the same module it’s possible to protect other processes .

!processprotect /process:lsass.exe /remove

Now let’s recheck that with processexplorer. Protected: No

It’s again possible to read out the memory:

Challenge solved!

Repeating questions:

What is the lsass.exe process responsible for?

  1. * Verifying and storing users credentials
  2. * Writing to the windows security log
  3. * Enforcing the security policy on the system
  4. * All above answers are correct

What can be found in the unprotected LSASS memory?

  1. * Nothing interessting
  2. * Encrypted, unreadable data
  3. * A lot of sensitive data, including hashes of user passwords
  4. * Bios password

How to make LSASS running as a protected process?

  1. * Set the following in the registry: HKLM:\System\CurrentControlSet\Control\Lsa:RunAsPPL=1 (DWORD)
  2. * Enable LSA protection using Group Policy Preferences (to set the same registry key: HKLM:\System\CurrentControlSet\Control\Lsa:RunAsPPL=1 (DWORD)
  3. * It can be enabled in Windows Security Settings (GUI)
  4. * Answers A and B are correct

What is the purpose of the Credential Guard (other mechanism, which can be used to protect LSA)

  1. * With Credential Guard enabled, secrets are stored in virutalized and protected environment, which is isolated from the running operating system
  2. * With Credential Guard enabled it is impossible to run Mimikatz
  3. * With Credential Guard enabled, it is impossible to use stolen NTLM hashes to authenticate as other user
  4. * Credential Guard ensures, that NTLM hashes will never be used


Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.