Detecting Attempts to Steal Passwords from Memory

David French
Oct 2, 2018 · 2 min read

An adversary can harvest credentials from the Local Security Authority Subsystem Service (LSASS) process in memory once they have administrative or SYSTEM privileges.

Credential Dumping is MITRE ATT&CK Technique T1003.

This post provides the steps to configure Sysmon to log processes accessing the lsass.exe process. Once this logging is configured, you can monitor for suspicious processes accessing lsass.exe, which could be indicative of credential dumping activity.

Install and Configure Sysmon

Download Sysmon: https://technet.microsoft.com/en-us/sysinternals/sysmon

Create a file named sysmon_config.xml and copy the configuration below into the file.

<Sysmon schemaversion=”4.1">
<HashAlgorithms>SHA256</HashAlgorithms>
<EventFiltering>
<ProcessAccess default=”include”>
</ProcessAccess >
</EventFiltering>
</Sysmon>

Install Sysmon using the configuration file you created:

sysmon64.exe -i .\sysmon_config.xml

Validate that the configuration has been applied by dumping the current sysmon configuration:

sysmon64.exe -c

Dump Passwords From Memory Using Mimikatz

To test the Sysmon Process Access logging, dump passwords from memory using Mimikatz.

PS C:\Users\fmfx009\Downloads\mimikatz_trunk\x64> .\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

Review Sysmon Event Logs for Mimikatz Usage

Access the Sysmon logs via the Event Viewer under Microsoft-Windows-Sysmon/Operational or use the filtering features of Event Log Explorer.

Apply a filter to view all events with Event ID 10, Process accessed.

You should see evidence of SourceImage: lsass.exe accessing TargetImage: mimikatz.exe. You should also see evidence of SourceImage: mimikatz.exe accessing TargetImage: lsass.exe.

Threat Punter

Threat Hunting | Threat Detection | Malware Analysis | Forensics

David French

Written by

Threat Hunting | Threat Detection | Malware Analysis | Forensics

Threat Punter

Threat Hunting | Threat Detection | Malware Analysis | Forensics

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade