Atomic Red Team — DumpLSASS

`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess IN ("0x01000", "0x1010", "0x1038", "0x40", "0x1400", "0x1fffff", "0x1410", "0x143a", "0x1438", "0x1000") CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*ntdll.dll*")
  • AllAccess
  • QueryLimitedInformation
  • QueryInformation
  • VirtualMemoryRead
  • QueryLimitedInformation, VirtualMemoryRead
  • QueryInformation, VirtualMemoryRead
  • Dbghelp!MiniDumpWriteDump
  • Dbgcore!MiniDumpWriteDump
  • Kernel32!ReadProcessMemory
  • api-ms-win-core-memory-l1–1–0!ReadProcessMemory
  • Kernelbase!ReadProcessMemory
  • Kernel32!CreateToolhelp32Snapshot
  • DuplicateHandle
  • Ntdll!NtReadVirtualMemory

Simulate

If you have never used ATH, it’s pretty easy to get going by following the wiki or

Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
Import-Module C:\Users\Test\Desktop\AtomicTestHarnesses\AtomicTestHarnesses.psd1

Validate

Current query:

`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess IN ("0x01000", "0x1010", "0x1038", "0x40", "0x1400", "0x1fffff", "0x1410", "0x143a", "0x1438", "0x1000") CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*ntdll.dll*")
  • 5000+ events over 7 days
  • SourceUser is all over the place
  • GrantedAccess values all over
  • SourceImage is regular software
  • High False Positives

Tuning

we already simulated with the harness above, now let’s drill in to see what we can find in our data all while identifying new adds to the query.

Happy Hunting :-)

I’ll leave us here today and next time we will dive into Invoke-ATHLogonUser

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Michael Haag

Michael Haag

I write, sometimes, about InfoSec related topics and I love coffee.