Bypass LSASS Dump protection with RAM Dump
by João Paulo de Andrade Filho
There is nothing more frustrating than an Antivirus blocking the execution of our tools and/or preventing certain actions to occur, like spawning a shell or blocking our attempts to dump the lsass process.
Modern protections such as EDR will surely block these types of attacks by hooking some API's and/or monitoring software behavior based on user actions. There are some bypasses that an operator can try (E.g Hell's Gate) but instead of coding a complex piece of software, it's possible to try a simpler approach.
Here it's shown a tool that I have been using when the LSASS Dump fails or gets blocked: Magnet RAM Capture (There is no need to install).
Magnet RAM Capture is a forensic tool to dump volatile memory. It will dump ALL the memory to a file, afterwards it's possible to grab the contents of this dump such as registry hives, passwords, processes, windows info and so on.
The tool will output a raw file, to analyse it, I have been using volatility3, version 2 also works, but there are some Windows builds that I could not make it work, so I stick with version 3.
To use it, just execute and click in START, this tool is not considered malicious because is a trusted tool used in legit forensic activities.
In this demonstration, I am using an Windows 10 fully updated with Kaspersky Endpoint Protection fully active and an industry EDR with all the modules activated.
Inspecting windows info
python3 vol.py -f /home/kali/Documents/memory_analysis.raw windows.info
Grabbing the hashes with volatility
python3 vol.py -f /home/kali/Documents/memory_analysis.raw hashdump
Volatility offers alot of options to analyse the dump:
- Grab processes
- Network Connections
- Cache Dump (Domain Credentials)
- Dump Processes
I recommend you to read the documentation and choose the options that fits your needs during the engagement.
Drawbacks
The only drawback about this tool is the size of the raw, it will match the size of the RAM, so if you have a computer with 32GB of ram, the dump file will be 32 GB in size, it can be really difficult to download the file or put it somewhere to analyze, but it all depends on the case and situation.
My website: https://www.untrustaland.com/blog/lsass-dump-bypass/
Originally published at: https://www.linkedin.com/pulse/bypass-lsass-dump-protection-ram-jo%C3%A3o-paulo-de-andrade-filho/
Author
Latest Articles
New Edition
This is something I’ve discussed with a friend. Run 3 is an addicting infinite runner game set in a futuristic universe in which you control a self-falling ball on a 3D track, combining old and new gameplay elements. A fast-paced game with some bizarre high-tech elements.
Your comments on the forum are very reasonable, hope you add comments to the run 3 website for us to improve further, and thank you for your comments.