Hide Your Valuables — Mitigating Physical Credential Dumping Attacks

Presented at ShmooCon 2023, Jan. 21, 2023, 4:30 p.m. (30 minutes).

Windows credential dumping is a common attacker technique that involves dumping passwords, hashes, and tickets from the Local Security Authority process’s (LSASS) memory to facilitate lateral movement. Tools such as Mimikatz and ProcDump have enabled adversaries to dump credentials with relative ease, which has made defending against this type of attack a critical component of securing a host. In response, Microsoft has raised the bar by implementing countermeasures such as allowing LSASS to run as a protected process, preventing traditional memory access techniques. Not to be outdone, attackers are moving to Bring-Your-Own-Vulnerable-Driver (BYOVD) and physical memory dumping as a workaround. Microsoft is mitigating BYOVD attacks by blocking known-vulnerable drivers (default in Win11 22H2), but physical memory attacks remain a concerning gap in the endpoint attack surface.

In this talk, we will discuss virtual vs physical memory and their relation to credential dumping attacks. We’ll then describe Silhouette, a tool to mitigate physical memory credential dumping attacks. We will demonstrate its effectiveness against two common physical memory credential dumping tools. This talk will be accompanied by the release of Silhouette’s source code.

Presenters:

• Gabriel Landau
  Gabriel Landau (@GabrielLandau) is a principal at Elastic Security. His research includes Kernel Mode Threats and Practical Defenses (BH USA), PPLGuard, CI Spotter, AV sandboxing attacks, and Process Ghosting. His non-public work includes endpoint protections, exploit mitigation, product & DRM evaluation, and malware reversing. Though he mostly wears blue these days, his heart will always be red.
• Mark Mager
  Mark Mager (@magerbomb) leads Elastic’s Endpoint Protections Team and has served in prominent technical leadership roles in the research and development of advanced computer network operations tools and provided reverse engineering subject matter expertise to government and commercial clients in the Washington, D.C. area.

Similar Presentations:

• REcon 2017 / The HyperV Architecture and its Memory Manager
• Black Hat USA 2017 / Taking DMA Attacks to the Next Level: How to do Arbitrary Memory Reads/Writes in a Live and Unmodified System Using a Rogue Memory Controller
• DEF CON 30 (2022) / LSASS Shtinkering: Abusing Windows Error Reporting to Dump LSASS