Hiding malware in Windows – The basics of code injection

In2an3_PpG

In2an3_PpG

Level 18
Thread author
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
Vendula Kubová said:
Note, since Windows 8.1 you can optionally opt-in to make lsass.exe a protected process. This is a really good idea by the way because lsass.exe has been attacked before for credential theft.

Configuring Additional LSA Protection

I recommend to everyone to do this but only if you understand how it works to prevent potential problems.

It should be mentioned that to attack lsass.exe normally, you'd need to be running with elevation anyway... and thus if you had administrator rights, you could always forcefully disable the protection via registry modification, but it is unlikely this would happen in the real world anyway. I've never seen a malware sample actually do this in the wild yet.
Click to expand...

I configured the additional protection following the registry key.

Interesting article, the author used mimikatz in a test against LSA protection and Credential Guard.

Poking Around With 2 lsass Protection Options – Red Teaming with a Blue Team Mentaility – Medium
 
  • Like
Reactions: Andy Ful, oldschool, upnorth and 1 other person
E

Eddie Morra

In2an3_PpG said:
Interesting article, the author used mimikatz in a test against LSA protection and Credential Guard.
Click to expand...
The "The 0x00000005" error code being mentioned in that article is the Win32 error code for "Access Denied", it is converted to Win32 error code from NTSTATUS STATUS_ACCESS_DENIED (0xC0000022).

Basically since the lsass.exe process is now a protected process, handle acquisition is being denied system-wide. NtOpenProcess -> calls PsLookupProcessByProcessId to make sure the process exists -> then moves to Psp* if I remember correctly.

I'll have to check ntoskrnl.exe tomorrow and then I'll let you know the whole process of NtOpenProcess internally.

But basically the Windows kernel checks the opaque structures and see's that lsass.exe is actually set as a protected process so it blocks the operation and the caller is notified that the access to the process was denied.

Without that process handle, Mimikatz cannot access or modify the virtual memory of lsass.exe remotely unless it has an exploit to bypass the protection.
 
  • Like
Reactions: oldschool, In2an3_PpG and upnorth
In2an3_PpG

In2an3_PpG

Level 18
Thread author
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
Vendula Kubová said:
The "The 0x00000005" error code being mentioned in that article is the Win32 error code for "Access Denied", it is converted to Win32 error code from NTSTATUS STATUS_ACCESS_DENIED (0xC0000022).

Basically since the lsass.exe process is now a protected process, handle acquisition is being denied system-wide. NtOpenProcess -> calls PsLookupProcessByProcessId to make sure the process exists -> then moves to Psp* if I remember correctly.

I'll have to check ntoskrnl.exe tomorrow and then I'll let you know the whole process of NtOpenProcess internally.

But basically the Windows kernel checks the opaque structures and see's that lsass.exe is actually set as a protected process so it blocks the operation and the caller is notified that the access to the process was denied.

Without that process handle, Mimikatz cannot access or modify the virtual memory of lsass.exe remotely unless it has an exploit to bypass the protection.
Click to expand...

To learn more in regards to the lsass process, should i look towards reading about LSA Authentication?

Ex. LSA Authentication

Or is there another source? Iv been having a hard time finding much of anything other than the brief summary of what it does.

"Is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log. "

Or is this one of those undocumented scenarios with Microsoft?
 
  • Like
Reactions: upnorth, Eddie Morra and oldschool
E

Eddie Morra

In2an3_PpG said:
Or is this one of those undocumented scenarios with Microsoft?
Click to expand...
This.

Source and internals is all closed source so good luck finding information about the internals unless you reverse engineer it... There's lsasrv.dll as well which lsass.exe uses and it contains some functionality.

The description of lsass.exe in the speech marks is accurate though, that is spot on for what it is for.
 
  • Like
Reactions: Andy Ful, In2an3_PpG and oldschool
In2an3_PpG

In2an3_PpG

Level 18
Thread author
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
Vendula Kubová said:
This.

Source and internals is all closed source so good luck finding information about the internals unless you reverse engineer it... There's lsasrv.dll as well which lsass.exe uses and it contains some functionality.

The description of lsass.exe in the speech marks is accurate though, that is spot on for what it is for.
Click to expand...

Figures. Well now i know.
 
  • Like
Reactions: Eddie Morra

Similar threads

Bot
    • Like
    • +Reputation
Hot Take From Deepfakes to Malware: AI's Expanding Role in Cyber Attacks
Replies
0
Views
172
General Security Discussions
Bot
Bot
upnorth
    • Like
    • +Reputation
    • Thanks
Security News New ‘Pool Party’ Process Injection Techniques Undetected by EDR Solutions
Replies
0
Views
1,076
Security News
upnorth
upnorth
quentisa
    • Like
Question RAM and ROM perplexing scenarios
Replies
1
Views
302
Hardware Discussions
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top