NativeDump - Dump Lsass Using Only Native APIs By Hand-Crafting Minidump Files (Without MinidumpWriteDump!)

NativeDump allows to dump the lsass process using only NTAPIs generating a Minidump file with only the streams needed to be parsed by tools like Mimikatz or Pypykatz (SystemInfo, ModuleList and Memory64List Streams). NTOpenProcessToken and NtAdjustPrivilegeToken to get the “SeDebugPrivilege” privilege RtlGetVersion to get the Operating System version details (Major version, minor version and…

View On WordPress

Akira ransomware prevention and defense 2024

New Post has been published on https://thedigitalinsider.com/akira-ransomware-prevention-and-defense-2024/

Akira ransomware prevention and defense 2024

EXECUTIVE SUMMARY:

In March of 2023, the first Akira ransomware strain was observed in the wild. Since then, the group has compromised over 100 different organizations, targeting those in the financial, manufacturing, real-estate, healthcare and medical sectors.

Akira operates on a Ransomware-as-a-Service (RaaS) model and typically deploys a double-extortion scheme. This involves exfiltrating sensitive data prior to device encryption and insisting on a ransom in exchange for withholding the data from the group’s TOR leak site.  

Most recently, Akira interrupted a U.S. emergency dispatch system, causing a nine-day operational outage. During the outage, dispatchers relied on backup systems. As of the present writing, full system restoration is still a work-in-progress.

About Akira

The group is believed to have taken its name from the 1988 cult anime film of the same name, which depicts biker gangs in a dystopian Tokyo. The Akira ransomware gang is known for use of a retro aesthetic on victims’ sites, reminiscent of the 1980’s green screen consoles.

Cyber security researchers have uncovered evidence linking the Akira group to the notorious Conti ransomware operation. In at least three separate cryptocurrency transactions, Akira criminals appear to have sent the full amount of the ransom payment to Conti-affiliated addresses.

The overlap of cryptocurrency wallets indicates that the individual controlling the address or wallet has either splintered off from the original group, or is working with two different groups simultaneously.

How Akira operates

Akira commonly breaches systems by obtaining unauthorized access to the target organization’s VPNs, as through a compromised username/password combination.

After sneaking in through an endpoint, Akira typically uses any of several methods to acquire permissions that enable lateral network movement.

These methods include orchestrating a mini-dump of the LSASS (Local Security Authority Subsystem Service) process memory, obtaining credentials stored in the Active Directory database and exploiting known vulnerabilities in backup software.

Advanced persistence mechanisms

Akira ordinarily deploys tools and techniques like Remote Desktop Protocol (RDP), Server Message Block (SMB), impacket module wmiexec, and a service manager tool known as nssm.exe, in order to gain persistence within systems.

As is the case among many cyber criminal groups, Akira also attempts to uninstall or disable security defenses, including anti-malware and network monitoring tools.

Beyond that, the group tends to use the runas command (a Windows command-line tool that allows for the execution of scripts, apps…etc., with different user permissions from the currently logged-in user) in order to execute commands.

This, in turn, makes tracking hacker activities more difficult for defenders.

Akira and C2 mechanisms

Most ransomware attackers weaponize a command and control (C2) mechanism to execute activities. The C2 system establishes communication with and exerts control over a compromised machine or network.

The C2 server can potentially be used to manage the ransomware deployment and to initiate the encryption of data on targeted systems. For the purpose of establishing persistent remote access to multiple systems within the network, Akira seems to prefer AnyDesk.

Akira and data exfiltration

Akira uses a number of different tools when it comes to data exfiltration. These include WinRAR, WinSCP, rclone, and MEGA.

After data exfiltration, Akira demands a ransom from victims. In the event that the ransom goes unpaid, the group will leak stolen data on its TOR site, as previously mentioned.

Akira’s encryption tactic

To encrypt a given target’s data, Akira relies on a combination of AES and RSA algorithms. The group will also purge Windows Shadow Volume Copies from devices by running a PowerShell command. For victims, this massively complicates the process of independently restoring systems and recovering encrypted data.

Recommended means of preventing and defending against Akira’s ransomware

1. Address identity and access management.

Enhance access controls. Implement multi-factor authentication (MFA). Akira can gain initial access via unauthorized logins to VPNs through accounts that lack MFA. This seemingly simplistic safeguard can significantly limit the risk of unauthorized access.

2. Store credentials securely.

As noted earlier, Akira deploys a variety of tactics to obtain credentials. These tactics include execution of a mini-dump of the LSASS process memory, retrieving credentials stored in the Active Directory database and leveraging vulnerabilities in backup services.

To that effect, organizations need to take care when it comes to credential management. Credentials should be stored securely, and regularly updated. Backup services must also be appropriately secured.

3. Elevate your patch management protocol.

Akira commonly exploits vulnerabilities in VPN software. Thus, regular patching and updating of software can proactively prevent Akira attacks.

4. Monitor your network like a ninja.

Akira relies on built-in commands and tools to identify an environment’s systems and to learn about the status of target devices. Detect duplicitous behavior by monitoring for unusual network activity.

Your organization should also monitor for data exfiltration. Look for substantial data transfers and unusual network patterns.

5. Secure C2 channels.

Akira uses widely recognized dual-use agents, such as AnyDesk, to establish persistent remote access. Remain vigilant in regards to abnormal remote access activities and fortify Command and Control (C2) channels. This can be of tremendous assistance when it comes to thwarting potential attacks.

6. Secure remote desktop protocol.

Akira frequently employes Remote Desktop Protocol (RDP), using legitimate local administrator user accounts to facilitate lateral movement. Enhancing the security of RDP and staying vigilant for atypical RDP activity can be effective in preventing lateral movement.

7. Implement endpoint protection.

Akira usually attempts to uninstall endpoint protections as a means of evading detection. Deploying robust endpoint protection measures and consistently monitoring for efforts to disable or uninstall such safeguards can also assist with attack prevention and detection.

Related resources

The 10 most dangerous ransomware groups right now – Read article

Secure your data. Explore endpoint security solutions – Learn more

Identity and access management solution free trial – Click here

[Media] ​​lsassy

​​lsassy Python tool to remotely extract credentials on a set of hosts. This blog post explains how it works. This tool uses impacket project to remotely read necessary bytes in lsass dump and pypykatz to extract credentials. https://github.com/Hackndo/lsassy #infosec #pentesting #redteam

Detecting and preventing LSASS credential dumping attacks

Source: https://www.microsoft.com/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/

Dumping hashes without triggering EDR

After getting annoyed with nanodump being detected I did some searching for methods that can dump LSASS without triggering sensors. Recently I had read about a method using Forensics software doing a full ram dump.

A link to that article is here - https://pentestmag.com/bypass-lsass-dump-protection-with-ram-dump/ (commands as listed did not work, so here is a fresh post)

I decided to give this a shot however against Crowdstrike Falcon, first downloading Magnet Ram Capture - https://support.magnetforensics.com/s/article/Acquire-Memory-with-MAGNET-RAM-Capture

(Requires a biz email)

Armed with Magnet Ram Capture I was able to dump all data from Ram without triggering any Crowdstrike Falcon alerts.

Avoid setting a segment size, life was easier with all ram dumped to a single file.

Now use volatility! The following volatility3 command worked for me -

python3 vol.py dump.raw windows.hashdump

Microsoft Defender Will Soon Block Windows Password Theft

Microsoft is enabling a Microsoft Defender 'Attack Surface Reduction' security rule by default to block hackers' attempts to steal Windows credentials from the LSASS process. BleepingComputer reports: When threat actors compromise a network, they attempt to spread laterally to other devices by stealing credentials or using exploits. One of the most common methods to steal Windows credentials is to gain admin privileges on a compromised device and then dump the memory of the Local Security Authority Server Service (LSASS) process running in Windows. This memory dump contains NTLM hashes of Windows credentials of users who had logged into the computer that can be brute-forced for clear-text passwords or used in Pass-the-Hash attacks to login into other devices. While Microsoft Defender block programs like Mimikatz, a LSASS memory dump can still be transferred to a remote computer to dump credentials without fear of being blocked. To prevent threat actors from abusing LSASS memory dumps, Microsoft has introduced security features that prevent access to the LSASS process. One of these security features is Credential Guard, which isolates the LSASS process in a virtualized container that prevents other processes from accessing it. However, this feature can lead to conflicts with drivers or applications, causing some organizations not to enable it. As a way to mitigate Windows credential theft without causing the conflicts introduced by Credential Guard, Microsoft will soon be enabling a Microsoft Defender Attack Surface Reduction (ASR) rule by default. The rule, ' Block credential stealing from the Windows local security authority subsystem,' prevents processes from opening the LSASS process and dumping its memory, even if it has administrative privileges. While enabling the ASR rule by default will significantly impact the stealing of Windows credentials, it is not a silver bullet by any means. This is because the full Attack Surface Reduction feature is only supported on Windows Enterprise licenses running Microsoft Defender as the primary antivirus. However, BleepingComputer's tests show that the LSASS ASR rule also works on Windows 10 and Windows 11 Pro clients. Unfortunately, once another antivirus solution is installed, ASR is immediately disabled on the device. Furthermore, security researchers have discovered built-in Microsoft Defender exclusion paths allowing threat actors to run their tools from those filenames/directories to bypass the ASR rules and continue to dump the LSASS process. Mimikatz developer Benjamin Delpy told BleepingComputer that Microsoft probably added these built-in exclusions for another rule, but as exclusions affect ALL rules, it bypasses the LSASS restriction.

Read more of this story at Slashdot.

from Slashdot https://ift.tt/OjtK0DC

Bypass EDR’s memory protection, introduction to hooking

Bypass EDR’s memory protection, introduction to hooking

Original text by Hoang Bui

Introduction

On a recent internal penetration engagement, I was faced against an EDR product that I will not name. This product greatly hindered my ability to access lsass’ memory and use our own custom flavor of Mimikatz to dump clear-text credentials.

For those who recommends ProcDump The Wrong Path

So now, as an ex-malware author — I know that there…

View On WordPress

Original Post from Talos Security Author:

By Warren Mercer, Paul Rascagneres and Vitor Ventura.

Summary

Cisco Talos recently discovered a new server hosting a large stockpile of malicious files. Our analysis of these files shows that these attackers were able to obtain a deep level of access to victims’ infrastructure — all of which allowed us to identify several targets of these attacks, including one American manufacturing company. Talos notified these targets of the attack.

We found a great variety of malicious files on this server, ranging from ransomware like the DopplePaymer, to credit card capture malware like the TinyPOS, as well as some loaders that execute code delivered directly from the command and control (C2)

The data found on this server shows how malicious actors can diversify their activities to target different organizations and individuals, while still using the same infrastructure. The tools we studied paint a picture of an adversary that is resourceful and has a widespread infrastructure shared across different operations.

Targets’ profiles

While performing our analysis, we identified at least two targets based on screenshots and memory dumps.

Target No. 1: Based on screenshot

The first target we identified is an aluminium and stainless steel gratings company located in the U.S. This identification was made based on the screenshot from the HPE Data Protector management interface. The screenshot shows the domain name (which we have redacted), thus leading us to the company’s name. This screenshot demonstrates that the level of access the attackers had on the victims’ infrastructure.

Screenshot from HPE Data protector manager.

This screenshot contains some important information for the adversary. On one side, it shows which servers are being backed up on another shows which ones are important to the victim.

This, in conjunction with the ransomware located on the server, indicates the intent of deploying ransomware on the infrastructure, showing a manual and targeted approach more advanced than the simple execution of malware.

Target No. 2: Based on the LSASS dump

We identified a second target due to a process dump we found on the server. The dumped process is responsible for managing credentials on Windows (lsass.exe). Using a tool like Mimikatz, it’s possible to retrieve credentials from the process dump.

The content of the dump showed us the hostname and Windows domain of the system and the “support” username. To perform the process dump, the attacker had high privileges on the system. This would help him to perform lateral movement. Which suggest a manual and targeted approach to this target.

The dump was uploaded on the server on Sept. 24, the same date as the login time stored in the memory dump.

Samples

DopplePaymer samples

The majority of the Windows binaries available on the server are DopplePaymer samples. This malware is a ransomware, an evolution of Bitpaymer documented by Crowdstrike. We identified seven different binaries. The oldest one was uploaded on Oct. 5, with the most recent originating from Oct. 20. As previously documented, the ransomware needs to be executed with a key in argument. We identified how the key was put in argument by this actor. A WinRAR self-extracting archive (SFX) is used to extract the ransomware and execute the following command:

Path=C:Users–redacted–DesktopSetup=C:Users–redacted–Desktopp1q135no.exe QWD5MRg95gUEfGVSvUGBY84h

In our example, the key is ‘QWD5MRg95gUEfGVSvUGBY84h’. The hard-coded path proves the attackers either had prior knowledge of the target’s infrastructure prepared the package in the target infrastructure.

This variant uses alternate data streams to partially hide its data.

The remaining behavior and ransom note are consistent with the previous documented variant.

TinyPOS sample

On the same server we also found a TinyPOS sample. This malware is installed using a batch file.

The batch file creates a scheduled task that will be executed every 6 hours and is executed has Local System.

The script deploys a scheduled task:

The PowerShell contains the TinyPOS code, which is defined as an array of bytes written with hexadecimal values. The PowerShell script creates an execution threat using the TinyPOS previously copied into memory.

TinyPOS is a point-of-sale malware which is directly developed in assembly. This sample exfiltrates data to the C2 hardcoded in the sample: jduuyerm[.]website.

The data going out is obfuscated using XOR operations with a hardcoded key of 0xcaef3d8a. The malware exfiltrates the hostname and the local IP of the infected system. It searches and parses targeted processes memory to retrieve credit card information, which is usually stored in tracks 1 and 2 of the magnetic strip of the credit card.

The adversaries uploaded tinyPOS on Sept. 26.

Svchost sample

This sample is a simple loader. The loader code is packed and obfuscated using XOR operations. The sample will load an offset of itself and perform XOR operations until the beginning of such offset matches the pattern 0x90909090.

Once the pattern is found, the decoding starts using the number of iterations needed to find the pattern as the XOR key.

The packed code imports several functions among them are the winsock32 module functions, connect(), send() and recv(). Using these functions it contacts the hardcoded C2 sending message that starts with the byte 0x0C.

Afterward, the loader will read 1,024 bytes from the server, until all data is read. The data received has a header of 12 bytes. The message is obfuscated using a XOR operation, the key for this XOR is at the 0x4 offset of the message. Before the sample calls the received code it will check if the last byte of the obfuscated code is 0xC3. This represents the opcode RET, which allows the loader to get the execution control back from the payload it receives from the C2.

Additional binaries

We identified additional binaries on the server. The tools are used by the attacker to perform tasks on the compromised infrastructure. We identified:

Mimikatz: A tool to retrieve Windows credentials from the memory

PsExec: A tool to remotely connect on Windows system. The attacker probably used it to pivot inside the infrastructure by using the credential previously retrieved.

Procdump: A tool to dump process. The attacker probably used it to dump the LSASS.exe process to then use with Mimikatz.

Potential infection vectors

Fake tech support

The TinyPOS C2 server is jduuyerm[.]website and the IP 185.254.188[.]11.

The IP resolved the following domains:

techsupport[.]org[.]ru from March 21, 2019 to Oct. 7, 2019

http://www.techsupport[.]org[.]ru from May 19, 2019 to Oct. 1, 2019

techsupportlap[.]icu from March 13, 2019 to April 2, 2019

techsupportnet[.]icu from March 12, 2019 to April 1, 2019

Two domains were available during the campaigns described in the article. The attacker likely was planning to carry out fake tech support scam to attempt to compromise infrastructure. This would likely be carried out by asking employees to execute specific commands or attempting to download the malware provided by the attacker.

VPN access

From the April 16, 2019 through Aug.18, 2019, the IP resolved to aefawexxr54xrtrt[.]softether[.]net. SoftEther is a powerful VPN platform that offers many features, such as a dynamic DNS service that could allow an adversary to evade detection based on ip addresses. SoftEther also prides itself on being able to “punch” through most firewalls due to only using HTTPS-based traffic. We haven’t found any software that would allow the screenshots found. In theory, if the actors can open a VPN back to their own server, they could then RDP into the systems, bypassing all firewalls in between. Softether seems to be the perfect solution for this.

SoftEther says it is a VPN that “has strong resistance against firewalls than ever [SIC]. Built-in NAT-traversal penetrates your network admin’s troublesome firewall for overprotection. You can setup your own VPN server behind the firewall or NAT in your company, and you can reach to that VPN server in the corporate private network from your home or mobile place, without any modification of firewall settings. Any deep-packet inspection firewalls cannot detect SoftEther VPN’s transport packets as a VPN tunnel, because SoftEther VPN uses Ethernet over HTTPS for camouflage [SIC].”

Conclusion

This server pulls back the curtain on an active threat actor targeting and compromising different companies. The attacker is not only limited to ransomware, even if it covers the vast majority of files available on the server. The adversary can steal credit card information via a point-of-sale malware and remotely managed compromised infrastructure. Based on the victims in this case, we can conclude that this attacker wants to target medium-sized companies in the industrial space. During this investigation, Talos notified potential victims to ensure they could remediate and ensure they were not under a current attack. This is a good example of how an attacker can be diverse during their use of infrastructure and their use of different tools, techniques and procedures (TTPs).

IOCs

Network

Jduuyerm[.]website 185.254.188[.]11. techsupport[.]org[.]ru http://www.techsupport[.]org[.]ru techsupportlap[.]icu techsupportnet[.]icu 185.212.128[.]189 aefawexxr54xrtrt[.]softether[.]net

Samples

d4be15adbbe135d172d5e0afcd191ae740df22de5d3beac98e188a3cf01a036b WSDB.bat a78bacb79d5d229aa8d6c574d1d8386664918a520beebc655975b04a61da1308 WSDB.ps1 e410b949d128ffb513af037355fe777b5b40799001a312843e405070308a3f36 WSDB.xml 3de852ed3bd3579cd9875108e121ba6fd68a66f8f6948cce072e8013ad1955ea c32_217061.exe fa7c7db9d33e1f4193bfe460d1a61096d75315212042a62bb3a30b3077511610 c64_217061.exe 0273d96cef6683e3fb205b8e841579b44bae16ff1e3ab57647b1a9d2947db5c7 file.exe bc919680471fd1b631e80c37e83aeb6877f13f4ed47ae22100cf4d60e27a93a4 mimikatz.exe b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9 no135.exe f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555 p1q135no.sfx.exe 16f413862efda3aba631d8a7ae2bfff6d84acd9f454a7adaa518c7a8a6f375a5 procdump64.exe 89f8af1eb52f31b011982d7a1ecc1eed25af6c14bf5f317568a3450db5db7247 q108.exe dcb76dc106e586c6f8bfa82832a66f525a9addb5450912004e92dd578ff2a60a q121k.exe 04d0824f70be3666d79b2a49b85cf6b60b566d7b8cc9efd31195644514fb0cb1 q135.exe 08499612bcf7ccb250438ce8f6eed616511e27c762d66132fef93296007984ac q137k.exe 0273d96cef6683e3fb205b8e841579b44bae16ff1e3ab57647b1a9d2947db5c7 svchost.exe 619f0c489beac9a792b9b42fa6529b3faf4329692fb52d17123ef69733868845 zap32.exe 98a4f69eff1f91f63fb74420ee4c16be508aa203d04f66e98b1dcb554def61ee zap64.exe b1e883222f3205db59ff812c6f6097291df12b1784c9e64eef674ab3a173c07a q159.exe

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: C2 With It All: From Ransomware To Carding Original Post from Talos Security Author: By Warren Mercer, Paul Rascagneres and Vitor Ventura.

Most of these ransomware creates a credential dump into system software and most of the times, security software went unnoticed into it and then slowly it spreads to different system devices for windows. It integrates with LSASS processes to attack the system and completely taken over the administrative rights of windows. Credential guard of Windows 10 takes care of this as it creates the virtualization process and its security is completely based on this, and it checks for domain credentials and checks for importance of third party tool so that in no way, ransomware hackers could install software from third party links.

Most of the common form of mitigation of exploits tools such as randomization of kernel, non-executable kernel regions are there already with Windows 10 to stop common forms of mitigations. Apart from this device guard and credential guard have been doing this to stop dynamic mitigation of ransomwares. Both mitigations are control flow-guard for kernel and it continuously checks for kernel code-integrity even during some highly administered and capable ransom ware injections. It protects windows against zero day vulnerabilities which come in the form of changes of times zones.

MultiDump - Post-Exploitation Tool For Dumping And Extracting LSASS Memory Discreetly

MultiDump is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly, without triggering Defender alerts, with a handler written in Python. Blog post: https://xre0us.io/posts/multidump MultiDump supports LSASS dump via ProcDump.exe or comsvc.dll, it offers two modes: a local mode that encrypts and stores the dump file locally, and a remote mode that sends the…

View On WordPress

​Dumpy This tool dynamically calls MiniDumpWriteDump to dump lsass memory content. This process...

​Dumpy This tool dynamically calls MiniDumpWriteDump to dump lsass memory content. This process is done without opening a new process handle to lsass and using DInvoke_rs to make it harder to detect its malicious behaviour. In order to obtain a valid process handle without calling OpenProcess over lsass, all process handles in the system are analyzed using NtQuerySystemInformation, NtDuplicateObject, NtQueryObject and QueryFullProcessImageNameW. NtOpenProcess is hooked before calling MiniDumpWriteDump to avoid the opening of a new process handle over lsass. NTFS Transaction are used in order to xor the memory dump before storing it on disk. Support added for both x86 and x64. https://github.com/Kudaes/Dumpy #lsass #dump

-

​LOLBIN to dump LSASS Path: C:\Program Files\Microsoft Visual...

Forwarded from Pentesting News

​LOLBIN to dump LSASS Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions Binary: DumpMinitool.exe #lolbin #lsass #dump

-

[Media] ​​RToolZ

​​RToolZ A Stealthy Lsass Dumper - can abuse ProcExp152.sys driver to dump PPL Lsass, no dbghelp.lib calls. https://github.com/OmriBaso/RToolZ #pentesting #redteam

[Media] ​​SharpSphere

​​SharpSphere Attacking vSphere Infrastructure. SharpSphere gives red teamers the ability to easily interact with the guest operating systems of virtual machines managed by vCenter. It uses the vSphere Web Services API and exposes the following functions: ▫️ Command & Control - In combination with F-Secure's C3, SharpSphere provides C&C into VMs using VMware Tools, with no direct. ▫️ network connectivity to the target VM required. ▫️ Code Execution - Allows arbitrary commands to be executed in the guest OS and returns the result ▫️ File Upload - Allows arbitrary files to be uploaded to the guest OS ▫️ File Download - Allows arbitrary files to be downloaded from the guest OS ▫️ List VMs - Lists the VMs managed by vCenter that have VMware Tools running ▫️ Dump Memory - Dump and download VM's memory, then manually extract credentials from LSASS offline using WinDbg and Mimikatz (Guide) https://github.com/JamesCooteUK/SharpSphere Dumping LSASS with SharpShere: https://jamescoote.co.uk/Dumping-LSASS-with-SharpShere/

[Media] Lsass-Shtinkering dump lsass tool

Lsass-Shtinkering dump lsass tool https://github.com/JDArmy/Lsass-Shtinkering

[Media] ​​CallBackDump

​​CallBackDump Dump lsass process tool that can pass Kaba, nuclear crystal, defender and other anti-software https://github.com/seventeenman/CallBackDump