Dump Lsass with SharpMiniDump NTFS transactions + UAC bypass + Exfil .dmp file to Dropbox. Overall, MDE BlockMode did a good job articulating this vector in the device timeline. Utilizing SharpMiniDump NTFS transactions (a fork of b4rtik/SharpMiniDump) to avoid writing the dump file to disk and exfiltrating it out to an awaiting Dropbox, made a big difference in avoiding being blocked from executing. The UAC bypass (Medium.exe) executes enough to drop into high-integrity and fire SharpMiniDump (SMD.exe). It took forever to upload the .dmp file to Dropbox - which eventually lost out to my patience (killed process before .dmp file finished). With some work, this may be a good vector.
Lsass Dumper: https://lnkd.in/eD3m2gu UAC Bypass: https://lnkd.in/dwXdNiE #cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam Comments are closed.
|