Hidden Gems in Windows: The Hunt is On
Hidden Gems in Windows: The Hunt is On
Let’s dive in. While doing some research regarding Kerberos, I stumbled upon a very interesting article: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
In short, the author had discovered a native Windows DLL, comsvcs.dll, that exports a function called MiniDumpW. Because of this, it’s possible to invoke this function with rundll32.exe to create a MiniDump of any process, including LSASS. So, why is this important? Let’s break down what all of this means.
DLL stands for Dynamic Link Library and is a file containing a library of functions and other information that can be accessed by a Windows process. In some cases, a user might need the ability to run a specific function located in a DLL, and that is where rundll32.exe is used.
A MiniDump is a type of memory dump file that Windows creates in the event of a crash. This file contains a wealth of information about the process at the time of the crash. This is useful for developers and system administrators as they can identify where and how the crash occurred and take appropriate actions to prevent a crash in the future.
It’s also possible to create a MiniDump on demand using a number of different methods. This is traditionally done using a Microsoft-signed binary from SysInternals called ProcDump.exe. This tool could be used in the event that something abnormal happens during execution, say a large CPU spike, and determining the root cause. A dump can also be created using the MiniDumpWriteDump function. The default task manager has the functionality to perform a process dump. What makes this comscvs.dll technique convenient is that a dump can be created directly from the command line, without needing to click on GUI controls.
LSASS is a process in Windows that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. After a user logs on to a system, a variety of credentials are generated and stored in the LSASS process in memory.
If you have the proper access rights, you can create a MiniDump of lsass.exe and parse this dump for credentials. Popular tools such as Mimikatz (a leading post-exploitation tool) have the ability to hook into the LSASS process itself and check for credentials, but it also has an offline version that allows a user to load in the LSASS MiniDump and have it be parsed.
As the author states in the article, you will need administrative privileges and debug privileges to create a MiniDump of lsass.exe. The command used to run this attack is very simple:
Rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [process ID of lsass.exe] dump.bin full
First, call rundll32 on the comsvcs.dll, then define the MiniDump function, the process ID of the process to dump, a file name, and then finally the keyword “full”. The last parameter “full” is required, even though there is no other alternative.
JennaMagius and I then looked into some ways to spawn a process that has both administrative and debug privileges. Creating a process with administrative privileges is as simple as running the command from an elevated command prompt, but the challenge was finding a way to ensure that we had debug privileges as well.
We found that PowerShell has debug privileges enabled by default. The following can be run from an elevated command prompt to create a MiniDump of LSASS:
Powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [process ID of lsass.exe] dump.bin full
We also found that an administrative user can use the Windows Service Control to create a service that runs our command, assign debug privileges to that service, and then run it. The following commands can be run from an elevated command prompt to create a MiniDump of LSASS:
- sc create test binpath="rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [process ID of lsass.exe] dump.bin full"
- sc privs test SeDebugPrivilege
- sc start test
From my reading, this attack is possible using VBScript and Windows Script Host. This is fantastic news because this means that we can implement a solution in Koadic with JScript!
In order to add debug privileges, we needed to modify the process creation function in the Koadic standard library to accept a flag and then add the DEBUG statement.
And now, we can create a process with our command to give it the correct privileges. Once the process has finished, we can upload the MiniDump file to the Koadic server for processing. Instead of using Mimikatz, we use a project called pypykatz, which uses a Python solution to mimic the offline functionality of Mimikatz. This allows us to extract the information from the LSASS dump directly on the Linux system hosting the Koadic server.
A traditional way of extracting LSASS secrets is to inject code directly into the process. This technique is utilized by Mimikatz and has greater detection rates in recent years from antivirus vendors. Various process memory dumping techniques, such as this comsvcs.dll technique, are alternatives to this technique that also continue to be effective. There are many areas of the Windows ecosystem where hidden gems like this may be found.
Follow @RiskSense to learn about our security research and other tips on post-exploitation tools to identify security vulnerabilities.