dumpinglsasslikeits2019-reid2024

Dumping LSASS Like it’s 2019

by Alex Reid

Red Siege 2024

https://redsiege.com/blog/2024/03/dumping-lsass-like-its-2019/

Notes
threat actor
offensive security professional
LSASS.exe
credentials
mimikatz
dumping LSASS.exe
exfiltration
Forta - nanodump https://github.com/fortra/nanodump
TTP
Microsoft Defender
Microsoft Defender for Endpoint (MDE)
EDR
Cobalt Strike
Beacon
cat-and-mouse game
red vs blue
security researcher
security researchers often fixate on new topics, neglecting work yet to be done on old topics
git clone
many tools can be slightly modified to avoid detection
MiniDumpW
comsvcs.dll
Modexp blogpost https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
LoadLibrary
GetProcAddress
SeDebugPrivilege
PID
Microsoft
Volt Typhoon https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
threat intelligence
APT
Fortinet exploitation
BOF (Cobalt Strike)
getprivs (Cobalt Strike)
Aggressor script
security tools identifying file signatures on write
attacker tools altering signatures of files written to disk to avoid detection
MemFiles https://github.com/Octoberfest7/MemFiles
GitHub
x64
userland hook
meminit, memlist, memfetch (Cobalt Strike)
United States Navy Red Team
Advanced Capabilities Developer
DoD
OSCP
OSEP
RTJC

---