PowerShell script to dump lsass.exe process memory to disk for credentials extraction via silent process exit mechanism.
The script causes WerFault.exe to dump lsass.exe process memory to disk for credentials extraction via silent process exit mechanism without crasing lsass.exe. This technique is adapted from: https://github.com/deepinstinct/LsassSilentProcessExit
- 0 - Call RtlSilentProcessExit on LSASS process handle
- 1 - Call CreateRemoteThread with RtlSilentProcessExit on LSASS
- Path where the dumpfile shall be stored
The following demo shows the dumping:
At the time of writing, we could not get the DumpMode 1 (using CreateRemoteThread) to work.
The powershell.exe process gets dumped along with lsass using the DumpMode 0, hence any pointers to get the other method working is welcome!
The original article provides some pointers on how to detect this technique. From our point of view, the following two techniques are best to detect our script being run:
Monitor the following keys for creation and modification:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe
The following article is a good resource: https://devblogs.microsoft.com/powershell/powershell-the-blue-team/