Listen to this Post
Introduction:
The Local Security Authority Subsystem Service (LSASS) is the crown jewel for attackers on a Windows endpoint, housing sensitive credentials like NTLM hashes and Kerberos tickets. Dumping LSASS memory is a primary technique in credential access attacks, enabling lateral movement and privilege escalation. This guide provides a comprehensive, hands-on approach to simulating these attacks and building robust detection capabilities using Sysmon and Splunk, transforming your SIEM from a data repository into a proactive hunting platform.
Learning Objectives:
- Understand the mechanics of LSASS dumping and common attack tools.
- Configure and deploy Sysmon with a tailored configuration for optimal visibility.
- Build and operationalize high-fidelity Splunk searches and alerts for LSASS dump detection.
You Should Know:
1. The Anatomy of an LSASS Dump Attack
LSASS dump attacks involve accessing the memory space of the `lsass.exe` process to extract its contents. This can be achieved through various methods, including using built-in Windows tools leveraged maliciously or dedicated offensive security utilities.
Verified Commands & Tools:
`comsvcs.dll` (Native Windows): `rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump
Sysinternals ProcDump (Dual-Use): `procdump.exe -ma lsass.exe C:\temp\lsass.dmp`
Task Manager (GUI): Right-click `lsass.exe` -> “Create dump file”
Mimikatz: `sekurlsa::minidump lsass.dmp` followed by `sekurlsa::logonPasswords`
Windows Error Reporting (WER): Leveraged via PPL bypass.
Step-by-Step Guide:
This simulation is for a controlled, authorized lab environment.
1. Identify the LSASS PID: Open an administrative command prompt and run tasklist | findstr lsass. Note the Process ID (PID).
2. Execute the Dump: Using the `comsvcs.dll` method, replace `rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 724 C:\temp\lsass.dmp full. This creates a full memory dump file.
3. Verify the Dump: Confirm the file `lsass.dmp` is created in C:\temp.
2. Deploying Sysmon for Ultimate Visibility
Sysmon (System Monitor) is a Windows system service that provides detailed logging of process creations, network connections, and file creation. A properly configured Sysmon is critical for detecting subtle malicious activity.
Verified Configuration (SwiftOnSecurity Snippet):
<!-- Sysmon Config - Process Creation Tracking --> <ProcessCreate onmatch="include"> <CommandLine condition="contains">lsass</CommandLine> <CommandLine condition="contains">comsvcs.dll</CommandLine> <CommandLine condition="contains">procdump</CommandLine> <CommandLine condition="contains">Mimikatz</CommandLine> <ParentImage condition="end with">powershell.exe</ParentImage> <ParentImage condition="end with">cmd.exe</ParentImage> </ProcessCreate> <!-- Sysmon Config - File Creation (Dump File) --> <FileCreate onmatch="include"> <TargetFilename condition="contains">lsass.dmp</TargetFilename> <TargetFilename condition="end with">.dmp</TargetFilename> </FileCreate>
Step-by-Step Guide:
- Download Sysmon: Download Sysmon from the official Microsoft Sysinternals page.
- Obtain a Config: Use a reputable configuration like the one from SwiftOnSecurity or Olaf Hartong.
- Install: Install Sysmon from an elevated command prompt:
Sysmon.exe -i -accepteula -h sha256 -n -l. - Install with Config: Apply your custom configuration:
Sysmon.exe -c your-config.xml. -
Building the Splunk Use Case: Process Creation Alerts
The first line of defense is detecting the execution of tools known to dump LSASS.
Verified Splunk SPL Query:
index=windows (EventCode=1) (CommandLine="lsass" OR CommandLine="comsvcs.dll" OR CommandLine="procdump" OR CommandLine="Mimikatz" OR CommandLine="dump") | table _time, host, User, CommandLine, ParentCommandLine
Step-by-Step Guide:
- Ingest Data: Ensure your Splunk Universal Forwarder is sending Windows Security and Sysmon logs (EventCode 1 for process creation) to your Splunk index.
- Create the Search: In Splunk’s search bar, paste the SPL query above.
- Test: Run the search after performing your simulation. You should see an event corresponding to the `rundll32` or `procdump` command.
- Create an Alert: Click “Save As” -> “Alert”. Set it to run on a schedule (e.g., every 5 minutes) and trigger when the number of results is greater than 0. Configure actions like email or a webhook to your SOAR platform.
4. Advanced Detection with File Access Telemetry
Modern attacks use techniques to avoid process creation logs. Monitoring for direct access to the LSASS process is a more robust detection method.
Verified Splunk SPL Query (Sysmon Event 10):
index=windows EventCode=10 TargetImage="\lsass.exe" | search CallTrace="dbgcore.dll" OR CallTrace="dbghelp.dll" OR CallTrace="comsvcs.dll" | table _time, host, SourceImage, TargetImage, CallTrace, GrantedAccess
Step-by-Step Guide:
- Verify Sysmon Logging: This requires Sysmon with a configuration that logs Event ID 10 (Process Access). Ensure your config has a rule for this.
- Understand GrantedAccess: The `GrantedAccess` field is a hexadecimal code representing the access rights requested. `0x1010` is a common indicator for a dump request (
VM_READ|PROCESS_QUERY_INFORMATION). - Refine the Query: Add `GrantedAccess=0x1010` to your SPL query to reduce false positives.
- Alerting: Create an alert from this search, as it indicates a process is attempting to read LSASS memory, which is highly suspicious for any process other than legitimate security tools.
5. Hardening Defenses with Attack Surface Reduction (ASR)
Prevention is the most effective form of defense. Microsoft’s Attack Surface Reduction rules can block LSASS dumping outright.
Verified Windows Command/PowerShell:
Check ASR Rule Status Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions Enable the "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" rule via GPO or Intune Rule GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Step-by-Step Guide:
- Identify Method: Use Group Policy, Intune, or PowerShell to configure ASR rules.
- Enable the Rule: Navigate to the ASR rules configuration in your chosen management console. Locate the rule with the GUID `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` and set it to “Block” or “Audit” mode.
- Deploy and Test: Deploy the policy to your endpoints. Re-run your LSASS dump simulation. In “Block” mode, the attack should now fail, and an event will be logged in Windows Event Viewer.
6. Integrating Threat Intelligence Feeds
Augment your detections by cross-referencing internal logs with known-bad indicators from threat intelligence feeds.
Verified Splunk SPL Query:
index=windows (EventCode=1 OR EventCode=3) | lookup threat_intel_iocs indicator OUTPUT threat_description | search threat_description= | stats count by _time, host, CommandLine, dest_ip, threat_description
Step-by-Step Guide:
- Ingest a TI Feed: Configure Splunk to ingest a threat intelligence feed (e.g., a CSV file from OTX or a commercial feed) into a lookup file called
threat_intel_iocs. - Create the Correlation Search: The SPL query above will join your process creation (1) and network connection (3) events with the TI lookup.
- Automate: If a process like `mimikatz.exe` connects to a known C2 server IP in your TI feed, this search will automatically correlate the events, providing high-fidelity alerting.
7. Proactive Hunting with Anomaly Detection
Move beyond static alerts by hunting for anomalous parent-child process relationships.
Verified Splunk SPL Query:
index=windows EventCode=1 | stats dc(ParentImage) as unique_parents by CommandLine | where unique_parents > 3 | sort - unique_parents
Step-by-Step Guide:
- Run the Hunt: This search identifies processes (CommandLine) that have been spawned by an unusually high number of different parent processes. Legitimate system processes typically have one or two consistent parents.
- Analyze Results: A tool like `rundll32.exe` used to dump LSASS might be called from
powershell.exe,cmd.exe,explorer.exe, or a custom script. This anomaly makes it stand out. - Triage: Investigate any results with a high count of
unique_parents. This is a powerful method for uncovering stealthy attacker tradecraft that avoids signature-based detection.
What Undercode Say:
- Visibility is Paramount: Without granular logging from tools like Sysmon, LSASS dumping is a ghost in the machine. Raw Windows logs are insufficient for modern threat hunting.
- Defense in Depth is Non-Negotiable: Relying on a single detection method is a recipe for failure. A layered strategy combining process, file, and memory monitoring with preventive controls like ASR creates a resilient defensive posture.
The analysis from the provided Arabic-language lab underscores a critical evolution in blue teaming: the shift from passive alert monitoring to active adversary simulation. By building detection logic based on how attacks are actually performed, rather than theoretical models, SOC analysts can create higher-fidelity alerts that reduce analyst fatigue and improve mean time to detect (MTTD). The technical walkthrough of correlating Sysmon’s deep telemetry with Splunk’s analytical power provides a reproducible framework for defending one of the most critical assets on the network.
Prediction:
The cat-and-mouse game around LSASS will intensify. We will see a rise in “living-off-the-land” techniques that leverage signed, legitimate drivers for kernel-level access to LSASS memory, completely bypassing user-space monitoring tools like Sysmon. This will force the defense community to adopt stricter code signing policies, hypervisor-protected code integrity (HVCI), and kernel-level telemetry, pushing the battle for credentials from the OS into the hardware virtualization layer. AI-assisted security platforms will become essential to correlate these subtle, low-level events and identify malicious patterns human analysts would miss.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Abdelaleemkhaled Homeabrlababrforabrcyberdefendersabrarabic – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
