LSASS Shtinkering: Abusing Windows Error Reporting to Dump LSASS

Presented at DEF CON 30 (2022), Aug. 12, 2022, 3 p.m. (45 minutes)

This presentation will show a new method of dumping LSASS that bypasses current EDR defenses without using a vulnerability but by abusing a built-in mechanism in the Windows environment which is the WER (Windows Error Reporting) service.

WER is a built-in system in Windows designed to gather information about software crashes. One of its main features is producing a memory dump of crashing user-mode processes for further analysis.

We will present in detail and demo a new attack vector for dumping LSASS, which we dubbed LSASS Shtinkering, by manually reporting an exception to WER on the LSASS process without crashing it. The technique can also be used to dump the memory of any other process of interest on the system.

This attack can bypass defenses that wrongfully assume that a memory dump generated from the WER service is always a benign or non-attacker triggered activity.

The talk will take the audience through the steps and approach of how we reverse-engineered the WER dumping process, the challenges we found along the way, as well as how we have managed to solve them.

Presenters:

• Asaf Gilboa - Security Researcher, Deep Instinct
  Asaf and Ron are Security Researchers at Deep Instinct where they both work on developing new defense capabilities based on research and understanding and novel attack techniques and vectors. After serving for several years in the advanced technological cyber units of the IDF, Asaf and Ron gained experience in the multiple aspects of technical cyber-security work including forensics, incident response, development, reverse engineering and malware research.
• Ron Ben Yitzhak
  Asaf Gilboa and Ron Ben Yitzhak Asaf and Ron are Security Researchers at Deep Instinct where they both work on developing new defense capabilities based on research and understanding and novel attack techniques and vectors. After serving for several years in the advanced technological cyber units of the IDF, Asaf and Ron gained experience in the multiple aspects of technical cyber-security work including forensics, incident response, development, reverse engineering and malware research.

Links:

• https://forum.defcon.org/node/241942
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Asaf Gilboa, Ron Ben-Yitzhak - LSASS Shtinkering - Abusing Windows Error Reporting to Dump LSASS.mp4
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Asaf Gilboa, Ron Ben-Yitzhak - LSASS Shtinkering - Abusing Windows Error Reporting to Dump LSASS.srt (subtitles)
• https://www.youtube.com/watch?v=-QRr_8pvOiY

Similar Presentations:

• DEF CON China 1.0 (2019) / From Ancient to Modern: Diagnosing Root Cause of Software Vulnerabilities from unexpected Crashes
• ShmooCon 2023 / Hide Your Valuables — Mitigating Physical Credential Dumping Attacks
• ToorCon: Seattle 2008 / Memory Dump Analysis