Duping AV with handles

PROLOGUE

NAME AND SHAME

HOW IT WAS

  1. Open the LSASS process and parse the VAS (command: live lsa )
  2. Parse minidump files of an LSASS process offline (command: lsa minidump )
  3. Use Rekall to get credentials stored in full memory dumps and hibernation files (command: lsa rekall )
  4. Use Volatility3 to get credentials stored in full memory dumps and hibernation files
  5. Act as a plugin for MemProcFs to get credentials stored in full memory dumps.

QUICK NOTE ON OPENPROCESS

  1. Acquire debug privilege.
  2. Find the LSASS process’ PID.
  3. Open the LSASS process by invoking the OpenProcess method.
  4. Initialize a virtual reader and pass the process handle to it.
  5. Begin parsing the VAS using this reader and extract credentials.

REQUESTED FEATURE

THE OTHER WAY

HOW TO OBTAIN A HANDLE TO LSASS WITHOUT OPENING LSASS

  1. Get debug privileges.
  2. NtQuerySystemInformation will yield all handles opened for all processes. This also includes the PID information of the process for each handle. After this, for each PID/handle:
  3. OpenProcess with PROCESS_DUP_HANDLE privilege. This allows us to duplicate the handle.
  4. NtDuplicateObject will get a copy of the handle of the remote process to our process. Recommended to pass at least PROCESS_VM_READ for DesiredAccess.
  5. NtQueryObject will tell us if this handle is a Process handle or something else. (there are a lot of types, and OMG GUESS WHAT IT’S NOT DOCUMENTED)
  6. If it’s a process handle, QueryFullProcessImageName invoked with the handle will show the process executable path. If it’s lsass.exe then we have found a good match and can begin parsing.
Screenshot of the code because people tend to like articles with pictures in them

HOW IT IS NOW

  1. pypykatz now supports parsing running lsass process via external process handle using the go_live_phandle method.
  2. pypykatz now ships with the function to automatically search for open handles to lsass process in other processes and use them for parsing. This can be invoked either by calling the go_handledup method or from the command line by using the pypykatz live lsa --method handledup command.
Handle duping at work.

DOES IT REALLY EVADE AV?

--

--

--

Something something hacking

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Mathematics for Software Testing

Numpy tutorial — Iterate Over Array

Oracle Linux thoughts

Realtime Stream Processing Architectural Solution

Top 8 SQL Functions to Clean Raw Data

Welcome To My Blog

animated photo of hands typing on a laptop with notepad

Write-up: HTB — Mantis

Night Owl’s Weekly Update [22/06/2022] 🌙 🦉

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SkelSec

SkelSec

Something something hacking

More from Medium

Gaining SIEM Cybersecurity Experience On My Own

RequestBin Next-Gen version release note

PicoCTF2022 Operation Orchid Writeup