Detecting OS Credential Dumping with Windows Events Logs and Security Events Explorer

An attacker with Administrative privileges on a Windows machine can access the hashes of the credentials of all the users that previously logged in on the host, by simply dumping the memory of the Local Security Authority Subsystem Service (LSASS) process. Then the attacker is free to crack this hashes or try to use them in pass-the-hash attacks. We see how Windows Event logs and Security Events Explorer can help in detecting such attacks.

Introduction

Windows Security Events logs track activities on Windows boxes, and can be used for auditing purposes and security checks. They give information about user activities such as Interactive and RDP logons, logoffs, access to certain folders, usage of elevated privileges, access to particular objects and processes and so on. It is possible to configure the events that should be logged, and Microsoft provides guidance on which events are worth monitoring .

This blog post assumes that proper auditing has been enabled on the target device. There are many guides on the web explaining how to configure Windows Events collection: for instance this one from Microsoft is a good reference.

For what concerns the environment where the experiments were carried out, I have setup a lab with a Windows Server 2019 and a Windows 10 Pro devices, enabled full logging on both machines and finally run the same commands on both of them and compared the results. The results, i.e. the logged events, were basically the same on both devices, so the detection techniques presented here should also work for other versionns of Windows, as long as proper logging is enabled.

The techniques that we are going to detect are categorized by the MITRE ATT&CK framework as T1003.001 - OS Credential Dumping: LSASS Memory . MITRE provides examples of such techniques and the Atomic Red Team™ by Red Canary goes even further by providing a library of tests mapped to the MITRE ATT&CK® framework . Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments. We’ll use the validated Atomic-Red-Team techniques and we’ll expand their work by providing an attack detection perspective based on security logs. This means that, while the Atomic-Red-Team project takes MITRE techniques and maps them to real attacks, we’ll take such real attacks and map them to the generated logs. Our goal is to build a reliable framework that allows us to detect attacks by recognizing specific patterns in the logs.

There are some good reasons why Windows Security logs can be an additional, effective layer of defense to detect attacks. One is that Antivirus and EDR solutions can be bypassed. If that happens, our security solutions won’t prevent attackers to reach their goal, in this case to dump and exfiltrate Windows credentials. But, while the EDR is evaded and the attacker dumps the credentials, logs are generated by Windows, and generally sent to a monitoring system such as a SIEM. Sure, an attacker could clear all the logs or stop logging for a while, but in an environment with a decent security this wouldn’t be a stealth activity as it would raise alerts on both the endpoint (EDR) and the SIEM, for instance.

Now that we have explained the motivations for our research, it's time to start the attacks (and the detections)!
We are going to use mimikatz, procdump, the comsvcs.dll library, nanodump and other tools to dump Windows credentials by accessing the LSASS process memory space.
Follow the link to get to the second part of the LSASS credential dumping blog series

Detecting OS Credential Dumping with Windows Events - part 2: attacks and detections

References

Microsoft Security Event Log .
Configure Windows Event Collection
MITRE ATT&CK T1003.001 - OS Credential Dumping: LSASS Memory .
Atomic Red Team™ by Red Canary
Advanced Penetration Testing: Hacking the World's Most Secure Networks