Skip to content

Instantly share code, notes, and snippets.

@Antonlovesdnb

Antonlovesdnb/LsassShtinkering.md Secret

Created December 23, 2022 22:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save Antonlovesdnb/e738c5a745e3513bf2d0c71c4f13a29c to your computer and use it in GitHub Desktop.
Save Antonlovesdnb/e738c5a745e3513bf2d0c71c4f13a29c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
LsassShtinkering.md

Tool Link

https://github.com/deepinstinct/Lsass-Shtinkering

https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf

Query

  • Sumo Logic CIP format
  • Please consider experimental / test
_collector="DC-SUMOTR1" //Setting collector

| where eventid = 10 OR eventid = 4624 OR eventid = 1 //Only looking for these specific event ids

| timeslice 1m //setting a slim timeslice to weed out false positives

//renaming some fields
| %"eventdata.commandline" as command_line
| %"eventdata.ParentImage" as parent_process
| %"eventdata.targetimage" as target_image
| %"eventdata.sourceimage" as source_image
| %"eventdata.sourceuser" as target_user_4624
| %"eventdata.processname" as process_name_4624
| %"eventdata.targetusername" as src_user

// Setting qualifiers, looking for a specific werfault command line, lsass being accessed by werfault, services being spawned via 4624 and system as the username
| if(toLowerCase(command_line) matches /(werfault\.exe \-u \-p \d\d\d \-ip \d\d\d\d \-s \d\d\d)/, "sus_werfault","") as q1
| if(toLowerCase(target_image) matches /(lsass)/, "lsass_access\n","") as q2
| if(toLowerCase(source_image) matches /(werfault)/, "werfault_as_source\n","") as q3
| if(toLowerCase(src_user) matches /(nt authority\\system)/,"system_exec\n","") as q4
| if(toLowerCase(target_user_4624) matches /(system)/,"login_as_system\n","") as q5
| if(toLowerCase(process_name_4624) matches /(services\.exe)/,"service_login\n","") as q6

| concat(q1,q2,q3,q4,q5,q6) as qualifiers

| count_distinct(qualifiers) as qualifer_count,values(qualifiers) as qualifiers_values,values(command_line) as command_line,values(parent_process) as parent_process,values(target_image) as target_image by _timeslice

// only return the results if all six qualifiers are met 
| where qualifer_count = 6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment