{"id":123118,"date":"2022-10-05T09:00:00","date_gmt":"2022-10-05T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=123118"},"modified":"2024-05-02T10:22:03","modified_gmt":"2024-05-02T17:22:03","slug":"detecting-and-preventing-lsass-credential-dumping-attacks","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/05\/detecting-and-preventing-lsass-credential-dumping-attacks\/","title":{"rendered":"Detecting and preventing LSASS credential dumping attacks"},"content":{"rendered":"\n

Obtaining user operating system (OS) credentials from a targeted device is among threat actors\u2019 primary goals when launching attacks because these credentials serve as a gateway to various objectives they can achieve in their target organization\u2019s environment, such as lateral movement. One technique attackers use is targeting credentials in the Windows Local Security Authority Subsystem Service (LSASS) process memory because it can store not only a current user\u2019s OS credentials but also a domain admin\u2019s.<\/p>\n\n\n\n

LSASS credential dumping<\/a> was first observed in the tactics, techniques, and procedures (TTPs) of several sophisticated threat activity groups\u2014including actors that Microsoft tracks as HAFNIUM<\/a> and GALLIUM<\/a>\u2014 and has become prevalent even in the cybercrime space, especially with the rise of the ransomware as a service gig economy<\/a>. Detecting and stopping OS credential theft is therefore important because it can spell the difference between compromising or encrypting one device versus an entire network. Security solutions must provide specific measures and capabilities to help harden the LSASS process\u2014for example, Microsoft Defender for Endpoint<\/a> has advanced detections and a dedicated attack surface reduction rule<\/a> (ASR) to block credential stealing from LSASS.<\/p>\n\n\n\n

In May 2022, Microsoft participated in an evaluation conducted by independent testing organization AV-Comparatives<\/a> specifically on detecting and blocking the LSASS credential dumping technique. The test, which evaluated several endpoint protection platforms (EPP) and endpoint detection and response (EDR) vendors, is the first time AV-Comparatives focused on a single attack technique, and we\u2019re happy to report that Defender for Endpoint passed all 15 test cases used to dump user OS credentials from the LSASS process, achieving 100% detection and prevention scores. Notably, we also passed all test cases with only Defender for Endpoint\u2019s default settings configured<\/strong>, that is, with LSASS ASR and Protective Process Light (PPL) turned off to validate our antivirus protection durability in itself. Such results demonstrate our continued commitment to provide organizations with industry-leading defense.<\/p>\n\n\n\n

In this blog, we share examples of various threat actors that we\u2019ve recently observed using the LSASS credential dumping technique. We also provide details on the testing methodology done by AV-Comparatives, which they also shared in their blog<\/a> and detailed report<\/a>. Finally, we offer additional recommendations to further harden systems and prevent attackers from taking advantage of possible misconfigurations should they fail to leverage credential dumping.<\/p>\n\n\n\n

LSASS credential dumping: What we see in the wild<\/h2>\n\n\n\n

Dumping LSASS credentials is important for attackers because if they successfully dump domain passwords, they can, for example, then use legitimate tools such as PsExec<\/em> or Windows Management Instrumentation (WMI) to move laterally across the network. They can also use techniques like pass-the-hash<\/a> for lateral movement if they manage to obtain the password hashes.<\/p>\n\n\n\n

Microsoft researchers are constantly monitoring the threat landscape, including the different ways threat actors attempt to steal user credentials. The table below is a snapshot of the most popular credential theft techniques these actors used from March to August 2022 based on our threat data:<\/p>\n\n\n\n

Living-off-the-land binary<\/strong><\/a> (LOLBin) or hacking tool<\/strong><\/td>Threat actor that frequently uses this <\/strong>(not exhaustive)<\/td><\/tr>
Comsvc.dll<\/em> (and its \u201cMiniDump\u201d export) loaded by rundll32.exe<\/em><\/td>DEV-0270<\/a> (now tracked as Storm-0270*)<\/td><\/tr>
Mimikatz (and its modified variants)<\/td>DEV-0674 (now tracked as Seashell Blizzard*)<\/td><\/tr>
Procdump.exe<\/em> (with -ma<\/em> command line option)<\/td>Multiple threat actors<\/td><\/tr>
Taskmgr.exe<\/em><\/td>DEV-0300 (now tracked as Storm-0300*)<\/td><\/tr><\/tbody><\/table>
*In April 2023, Microsoft Threat Intelligence shifted to a new threat actor naming taxonomy aligned around the theme of weather. To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.<\/em><\/figcaption><\/figure>\n\n\n\n

The first column shows the technique attackers most frequently used in their attempt to dump credentials from LSASS, while the second column shows which threat actor uses this technique most frequently. Based on the incidents we tracked from March to August 2022, credential theft attacks using  LOLBins such as comsvc.dll<\/em>, procdump.exe<\/em>, or taskmgr.exe<\/em> are still popular. These LOLBins are legitimate, digitally signed binaries that are either already present on the target device or are downloaded onto the system for the attacker to misuse for malicious activities.<\/p>\n\n\n\n

Microsoft Defender Antivirus prevents the execution of these command lines due to its synchronous command line-blocking capabilities.<\/p>\n\n\n\n

AV-Comparatives test<\/h2>\n\n\n\n

To evaluate EPP and EDR capabilities against the LSASS credential dumping technique, AV-Comparatives ran 15 different test cases to dump credentials from the LSASS process using both publicly available hacking tools like Mimikatz (which the tester modified to bypass antivirus signatures) and privately developed ones. These test cases were as follows:<\/p>\n\n\n\n

Test case<\/strong><\/td>LSASS attack method<\/strong><\/td><\/tr>
01<\/td>Mimikatz with process herpaderping<\/td><\/tr>
02<\/td>Native APIs DLL<\/td><\/tr>
03<\/td>Silent process exit<\/td><\/tr>
04<\/td>Alternative API snapshot function<\/td><\/tr>
05<\/td>MalSecLogon<\/td><\/tr>
06<\/td>Dump LSASS<\/td><\/tr>
07<\/td>Duplicate dump<\/td><\/tr>
08<\/td>PowerShell Mimikatz<\/td><\/tr>
09<\/td>Invoke Mimikatz (PoshC2)<\/td><\/tr>
10<\/td>SafetyDump<\/td><\/tr>
11<\/td>RunPE snapshot (PoshC2)<\/td><\/tr>
12<\/td>Unhook (Metasploit framework)<\/td><\/tr>
13<\/td>Reflective DLL (Metasploit framework)<\/td><\/tr>
14<\/td>Invoke Mimikatz (PowerShell Empire)<\/td><\/tr>
15<\/td>Invoke-PPL dump (PowerShell Empire)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Each test case implemented a comprehensive approach on how to dump credentials from LSASS. After the evaluation, AV-Comparatives shared the logs and detailed description of the test cases. Microsoft participated using Defender for Endpoint, both its antivirus and EDR capabilities, with only the default settings configured<\/strong>.<\/p>\n\n\n\n

During the initial run, Defender for Endpoint prevented 11 out of 15 test cases and alerted\/detected three of the remaining ones (Figure 1). We then made improvements in our protection and detection capabilities and asked AV-Comparatives to re-test the missed test cases. During the re-test, we prevented all the remaining four test cases, achieving 15 out of 15 prevention score.<\/p>\n\n\n\n

\"Table
Figure 1. Table showing how Defender for Endpoint prevented\/detected the test cases in the first run of the AV-Comparatives test. The antivirus module missed test cases 01, 03, 09, and 10. We added improvements to the product based on these findings, thus allowing Defender for Endpoint to achieve 100% prevention score on re-test. (Source: AV-Comparatives<\/a>)<\/figcaption><\/figure>\n\n\n\n

We\u2019d like to thank AV-Comparatives for this thorough test, which led us to improve our protection and detection capabilities in Defender for Endpoint. These improvements have already been rolled out to benefit our customers, and we\u2019re looking forward to the next similar test. We aim to provide industry-leading, cross-domain defense, so it\u2019s important for us to participate in tests like AV-Comparatives and MITRE Engenuity ATT&CK Evaluations<\/a> because they help us ensure that we\u2019re delivering solutions that empower organizations to defend their environments.<\/p>\n\n\n\n

Securing the LSASS process with coordinated threat defense and system hardening<\/h2>\n\n\n\n

The continuous evolution of the threat landscape has seen attacks leveraging OS credential theft, and threat actors will continue to find new ways to dump LSASS credentials in their attempts to evade detection. For Microsoft, our industry-leading defense capabilities in Microsoft Defender for Endpoint<\/a> are able to detect such attempts. We\u2019ve also introduced new security features in Windows 11<\/a> to harden the operating system, such as enabling PPL for the LSASS process and Credential Guard by default. However, evaluations like this AV-Comparatives test go hand in hand with threat monitoring and research because they provide security vendors additional insights and opportunities to continuously improve capabilities.<\/p>\n\n\n\n

Our teams performed an in-house test of all these test cases with the LSASS ASR rule<\/a> enabled to check the protection level of that rule. We\u2019re happy to report that the ASR rule alone successfully prevented all the tested techniques. The LSASS ASR rule is a generic yet effective protection our customers can implement to stop currently known user-mode LSASS credential dumping attacks. Defender customers should therefore enable this ASR rule\u2014along with tamper protection<\/a>\u2014as an added protection layer for the LSASS process.<\/p>\n\n\n\n

On top of the various dumping techniques, we\u2019ve also observed threat actors attempt to weaken the device settings in case they can\u2019t dump credentials. For example, they attempt to enable \u201cUseLogonCredential\u201d in WDigest registry, which enables plaintext passwords in memory. Microsoft Defender Antivirus detects such techniques, too, as Behavior:Win32\/WDigestNegMod.B.<\/p>\n\n\n\n

Windows administrators can also perform the following to further harden the LSASS process on their devices:<\/p>\n\n\n\n