{"id":584,"date":"2020-03-04T19:10:11","date_gmt":"2020-03-04T18:10:11","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=584"},"modified":"2020-03-04T19:10:11","modified_gmt":"2020-03-04T18:10:11","slug":"challenge-day-1-dumping-lsass-memory","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=584","title":{"rendered":"Challenge Day 1 &#8211; Dumping LSASS Memory"},"content":{"rendered":"<p>Like <a href=\"https:\/\/cybercop-training.ch\/?p=164\" target=\"_blank\" rel=\"noopener noreferrer\">two years ago<\/a>, ther&#8217;s a new 5 Day challenge from <a href=\"https:\/\/cqureacademy.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">CQURE Academy<\/a> out.<\/p>\n<blockquote>\n<p style=\"text-align: justify;\">In this challenge, you will have an opportunity to stand in the hacker\u2019s shoes and try to bypass LSASS protection to dump lsass.exe memory!<br \/>\nYou will have an opportunity to learn not only how to extract some information from LSA, but also, you will have to discover what protection has been used and how could it be bypassed. After successfully completing the challenge, think about how to be smarter and protect lsass.exe better.<\/p>\n<\/blockquote>\n<p>I did setup a fresh Win10 VM for this challenge.<\/p>\n<ul>\n<li><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5dc2.0_day1_skill_instruction.pdf\">5dc2.0_day1_skill_instruction<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/CQChallenge1.zip\">CQChallenge1<\/a><\/li>\n<\/ul>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-591\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1.png\" alt=\"\" width=\"813\" height=\"314\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1.png 813w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1-300x116.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1-768x297.png 768w\" sizes=\"auto, (max-width: 813px) 100vw, 813px\" \/><\/a><\/p>\n<p>Later I&#8217;ll use <a href=\"https:\/\/github.com\/gentilkiwi\/mimikatz\/releases\" target=\"_blank\" rel=\"noopener noreferrer\">mimikatz<\/a> to solve this challenge and because of that I&#8217;ll disable Windows Defender.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-594\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2.png\" alt=\"\" width=\"963\" height=\"260\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2.png 963w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2-300x81.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2-768x207.png 768w\" sizes=\"auto, (max-width: 963px) 100vw, 963px\" \/><\/a><\/p>\n<p>First let&#8217;s check if I can dump the lsass.exe process by default. I&#8217;ll use <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/process-explorer\" target=\"_blank\" rel=\"noopener noreferrer\">process explorer<\/a> for that.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-595\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/3.png\" alt=\"\" width=\"741\" height=\"345\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/3.png 741w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/3-300x140.png 300w\" sizes=\"auto, (max-width: 741px) 100vw, 741px\" \/><\/a><\/p>\n<p>That is possible without any error. So let&#8217;s execute the CQChallenge1.exe file and reboot the machine.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-596\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4.png\" alt=\"\" width=\"692\" height=\"269\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4.png 692w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4-300x117.png 300w\" sizes=\"auto, (max-width: 692px) 100vw, 692px\" \/><\/a><\/p>\n<p>After the machine is rebooted I&#8217;ll give it a new try:<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-597\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5.png\" alt=\"\" width=\"599\" height=\"308\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5.png 599w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5-300x154.png 300w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\" \/><\/a><\/p>\n<p>As we can see, dumping the lsass.exe process is no longer possible.<\/p>\n<p>On the security tab in process explorer we can see a note. <strong>Protected: PsProtectedSignerLsa-Light<\/strong><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-598\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6.png\" alt=\"\" width=\"434\" height=\"299\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6.png 434w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6-300x207.png 300w\" sizes=\"auto, (max-width: 434px) 100vw, 434px\" \/><\/a><\/p>\n<p>If we go to strings, we also have no chance to read out the memory. <strong>&lt;Error opening process&gt;<\/strong><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-599\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/7.png\" alt=\"\" width=\"436\" height=\"578\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/7.png 436w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/7-226x300.png 226w\" sizes=\"auto, (max-width: 436px) 100vw, 436px\" \/><\/a><\/p>\n<p>According to the following <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/security\/credentials-protection-and-management\/configuring-additional-lsa-protection\" target=\"_blank\" rel=\"noopener noreferrer\">microsoft article<\/a>, additional LSA protection for a single computer can be enabled in the registry.<\/p>\n<p>RunAsPPL is set to 1.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-601\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/8.png\" alt=\"\" width=\"709\" height=\"532\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/8.png 709w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/8-300x225.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/8-678x509.png 678w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/8-326x245.png 326w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/8-80x60.png 80w\" sizes=\"auto, (max-width: 709px) 100vw, 709px\" \/><\/a><\/p>\n<p>We need to bypass this protection without doing a reboot of the machine. Let&#8217;s play with <a href=\"https:\/\/github.com\/gentilkiwi\/mimikatz\/releases\" target=\"_blank\" rel=\"noopener noreferrer\">mimikatz<\/a>.<\/p>\n<blockquote><p><strong>lsadump::lsa \/inject<\/strong><\/p><\/blockquote>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-602\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9.png\" alt=\"\" width=\"658\" height=\"512\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9.png 658w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9-300x233.png 300w\" sizes=\"auto, (max-width: 658px) 100vw, 658px\" \/><\/a><\/p>\n<p>This will fail, because the lsass.exe process is still protected.<\/p>\n<p>Mimkatz has a module to remove the protection of a protected process. With the same module it&#8217;s possible to protect other processes .<\/p>\n<blockquote><p><strong>!processprotect \/process:lsass.exe \/remove<\/strong><\/p><\/blockquote>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/10.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-603\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/10.png\" alt=\"\" width=\"583\" height=\"186\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/10.png 583w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/10-300x96.png 300w\" sizes=\"auto, (max-width: 583px) 100vw, 583px\" \/><\/a><\/p>\n<p>Now let&#8217;s recheck that with processexplorer. <strong>Protected: No<\/strong><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/11.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-604\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/11.png\" alt=\"\" width=\"438\" height=\"389\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/11.png 438w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/11-300x266.png 300w\" sizes=\"auto, (max-width: 438px) 100vw, 438px\" \/><\/a><\/p>\n<p>It&#8217;s again possible to read out the memory:<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/12.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-605\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/12.png\" alt=\"\" width=\"438\" height=\"345\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/12.png 438w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/12-300x236.png 300w\" sizes=\"auto, (max-width: 438px) 100vw, 438px\" \/><\/a><\/p>\n<p>Challenge solved!<\/p>\n<p>Repeating questions:<\/p>\n<blockquote><p>What is the lsass.exe process responsible for?<\/p><\/blockquote>\n<ol style=\"list-style-type: lower-alpha;\">\n<li>* Verifying and storing users credentials<\/li>\n<li>* Writing to the windows security log<\/li>\n<li>* Enforcing the security policy on the system<\/li>\n<li>* <strong>All above answers are correct<\/strong><\/li>\n<\/ol>\n<blockquote><p>What can be found in the unprotected LSASS memory?<\/p><\/blockquote>\n<ol style=\"list-style-type: lower-alpha;\">\n<li>* Nothing interessting<\/li>\n<li>* Encrypted, unreadable data<\/li>\n<li><strong>* A lot of sensitive data, including hashes of user passwords<\/strong><\/li>\n<li>* Bios password<\/li>\n<\/ol>\n<blockquote><p>How to make LSASS running as a protected process?<\/p><\/blockquote>\n<ol style=\"list-style-type: lower-alpha;\">\n<li>* Set the following in the registry: HKLM:\\System\\CurrentControlSet\\Control\\Lsa:RunAsPPL=1 (DWORD)<\/li>\n<li>* Enable LSA protection using Group Policy Preferences (to set the same registry key: HKLM:\\System\\CurrentControlSet\\Control\\Lsa:RunAsPPL=1 (DWORD)<\/li>\n<li>* It can be enabled in Windows Security Settings (GUI)<\/li>\n<li><strong>* Answers A and B are correct<\/strong><\/li>\n<\/ol>\n<blockquote><p>What is the purpose of the Credential Guard (other mechanism, which can be used to protect LSA)<\/p><\/blockquote>\n<ol style=\"list-style-type: lower-alpha;\">\n<li><strong>* With Credential Guard enabled, secrets are stored in virutalized and protected environment, which is isolated from the running operating system<\/strong><\/li>\n<li>* With Credential Guard enabled it is impossible to run Mimikatz<\/li>\n<li>* With Credential Guard enabled, it is impossible to use stolen NTLM hashes to authenticate as other user<\/li>\n<li>* Credential Guard ensures, that NTLM hashes will never be used<\/li>\n<\/ol>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/13.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-606\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/13.png\" alt=\"\" width=\"799\" height=\"229\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/13.png 799w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/13-300x86.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/13-768x220.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>Like two years ago, ther&#8217;s a new 5 Day challenge from CQURE Academy out. In this challenge, you will have an opportunity to stand in <a class=\"mh-excerpt-more\" href=\"https:\/\/cybercop-training.ch\/?p=584\" title=\"Challenge Day 1 &#8211; Dumping LSASS Memory\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":587,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,10],"tags":[],"class_list":["post-584","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-windows-security"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/584","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=584"}],"version-history":[{"count":7,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/584\/revisions"}],"predecessor-version":[{"id":608,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/584\/revisions\/608"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/587"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=584"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=584"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}