Adversaries track developments within the security community to look for effective ways to skirt modern defenses. Our sensing technology (Guru) that surveils the security community has been effective at ingesting signals relating to emerging attack vectors, sometimes 3 – 6 months ahead of confirmed campaigns. The signals we consume originate from social influencers, code repositories, CVE PoCs, community chatter and research blogs from within the security community. A recent example of where our emerging threat technology was confirmed by actual adversary events was the Fox Kitten Campaign. This campaign was masterfully articulated in a report written by ClearSky Cyber Security which recounted the activities of the suspected Iranian APT groups involved. Drilling down, we will focus on the methods utilized by the attackers which allowed for credential access and were signaled in advanced by our platform, as early as July 2019.
Mimikatz and Endpoint Security
Mimikatz has long been an adversary staple for gaining credential access. Most endpoint security solutions will now easily detect the signatures and(or) behaviors associated with Mimikatz, forcing adversaries to find new methods to skirt defenses. Additionally, default security features like Virtualization-Based Security for Win 10 enterprise users will significantly hinder credential dumping techniques as the processes involved are shielded within a virtual environment. “The Microsoft hypervisor creates VSM and enforces restrictions which protect vital operating system resources, provides an isolated execution environment for privileged software and can protect secrets such as authenticated user credentials. With the increased protections offered by VBS, even if malware compromises the operating system kernel, the possible exploits can be greatly limited and contained because the hypervisor can prevent the malware from executing code or accessing secrets”. That being said, there is a significant part of the computer population not running enterprise edition but still possessing security solutions able to chew up tools like Mimikatz. This is where the security research in the latter half of 2019 focused and how adversary tradecraft migrated in response.
Procdump + Mimikatz
Starting early fall of 2019, our sensors saw an explosion of activity in the security community relating to credential dumping techniques and tools. The first family of signals surrounded the use of ProcDump (a legitimate Microsoft tool) to dump LSASS memory, and then parse the output with Mimikatz on an attacker controlled endpoint. An interesting caveat to this technique was that if the command “procdump -ma lsass.exe lsass.dmp” was used without the PID for LSASS being specified, Defender would catch the behavior. Within the recently documented Fox Kitten Campaign, this command was issued to dump credentials during the attacks. In addition to the tradecraft chatter regarding ProcDump, our sensors ingested purpose-built tools that capitalize on this vector. Examples of exploit tools that utilize this vector are lsassy - “Extract credentials from lsass remotely” and spraykatz - “Credentials gathering tool automating remote procdump and parse of lsass process ”. Had defenders realized in advance that this vector was gaining significant traction, these attacks may have been prevented or detected earlier.
MiniDump + Mimikatz
Additional LSASS attack vectors were also simultaneously trending within the security community. Taking advantage of the Windows library “Dbghelp.dll”, attackers may exploit the function "MiniDumpWriteDump” to dump LSASS memory. Examples of tools that utilize this technique are MiniDump - “an alternative to procdump written in C# (perfect for execute-assembly)” and SharpDump - “SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality”. Other tools utilizing this vector can possess additional advanced functionality like API unhooking and command and control integration. A great example of such a tool is Dumpert - “LSASS memory dumper using direct system calls and API unhooking ”.
Had Defenders had access to forward-looking cyber intelligence, they may have been able to mitigate or minimize some of the attacks associated with the Fox Kitten Campaign. While we have seen direct correlation between Guru’s ingested signals relating to dumping LSASS memory and recent adversary behaviors, other variations aimed at targeting LSASS can also be assumed to be in play (MiniDump). Defenders should look at how adversary tradecraft migrated from the security community (the use of ProcDump to dump the LSASS + offline Mimikatz) to an actual adversarial campaign (Fox Kitten). Defenders should threat hunt for indicators relating to coexisting exploit vectors that are developing within the security community, aimed at dumping LSASS memory.