The Dark Side of LSASS: How Evil Twins Bypass Security Measures

The ‎EvilLsassTwin‏ ‎project ‎on ‎GitHub, found ‎in ‎the‏ ‎Nimperiments ‎repository,‏ ‎focuses‏ ‎on ‎a ‎specific‏ ‎technique ‎for‏ ‎extracting ‎credentials ‎from ‎the‏ ‎Local‏ ‎Security ‎Authority‏ ‎Subsystem ‎Service‏ ‎(LSASS) ‎process ‎on ‎Windows ‎systems.

📌Objective: The‏ ‎project‏ ‎aims ‎to‏ ‎demonstrate ‎a‏ ‎method ‎for ‎credential ‎dumping ‎from‏ ‎the‏ ‎LSASS‏ ‎process, ‎which‏ ‎is ‎a‏ ‎common ‎target‏ ‎for‏ ‎attackers ‎seeking‏ ‎to ‎obtain ‎sensitive ‎information ‎such‏ ‎as ‎passwords‏ ‎and‏ ‎tokens.

📌Technique: The ‎method ‎involves‏ ‎creating ‎a‏ ‎«twin» ‎of ‎the ‎LSASS‏ ‎process.‏ ‎This ‎twin‏ ‎process ‎is‏ ‎used ‎to ‎bypass ‎certain ‎security‏ ‎mechanisms‏ ‎that ‎protect‏ ‎the ‎original‏ ‎LSASS ‎process ‎from ‎being ‎accessed‏ ‎directly.

📌Implementation: The‏ ‎project‏ ‎provides ‎a‏ ‎detailed ‎implementation‏ ‎of ‎the‏ ‎technique,‏ ‎including ‎the‏ ‎necessary ‎code ‎and ‎steps ‎to‏ ‎replicate ‎the‏ ‎process.‏ ‎This ‎includes ‎creating‏ ‎a ‎duplicate‏ ‎of ‎the ‎LSASS ‎process,‏ ‎using‏ ‎the ‎duplicate‏ ‎process ‎to‏ ‎read ‎the ‎memory ‎of ‎the‏ ‎original‏ ‎LSASS ‎process,‏ ‎extracting ‎credentials‏ ‎from ‎the ‎memory ‎of ‎the‏ ‎original‏ ‎LSASS‏ ‎process.

📌Security ‎Implications:‏ ‎The ‎project‏ ‎highlights ‎the‏ ‎potential‏ ‎security ‎risks‏ ‎associated ‎with ‎this ‎technique, ‎emphasizing‏ ‎the ‎need‏ ‎for‏ ‎robust ‎security ‎measures‏ ‎to ‎protect‏ ‎the ‎LSASS ‎process ‎and‏ ‎prevent‏ ‎unauthorized ‎access.

📌Code‏ ‎Availability: The ‎full‏ ‎source ‎code ‎and ‎documentation ‎are‏ ‎available‏ ‎on ‎the‏ ‎GitHub ‎page,‏ ‎allowing ‎users ‎to ‎explore ‎and‏ ‎understand‏ ‎the‏ ‎technique ‎in‏ ‎detail.

Industry ‎Impact‏ ‎and ‎Consequences

📌Increased‏ ‎Risk‏ ‎of ‎Credential‏ ‎Theft: The ‎EvilLsassTwin ‎technique ‎highlights ‎the‏ ‎vulnerability ‎of‏ ‎the‏ ‎LSASS ‎process, ‎which‏ ‎stores ‎sensitive‏ ‎information ‎such ‎as ‎encrypted‏ ‎passwords,‏ ‎NT ‎hashes,‏ ‎LM ‎hashes,‏ ‎and ‎Kerberos ‎tickets. ‎Attackers ‎exploiting‏ ‎this‏ ‎technique ‎can‏ ‎gain ‎unauthorized‏ ‎access ‎to ‎these ‎credentials, ‎leading‏ ‎to‏ ‎potential‏ ‎data ‎breaches‏ ‎and ‎unauthorized‏ ‎access ‎to‏ ‎critical‏ ‎systems.

📌Lateral ‎Movement‏ ‎and ‎Privilege ‎Escalation: ‎Once ‎attackers‏ ‎obtain ‎credentials‏ ‎from‏ ‎the ‎LSASS ‎process,‏ ‎they ‎can‏ ‎use ‎them ‎to ‎move‏ ‎laterally‏ ‎within ‎the‏ ‎network, ‎escalating‏ ‎their ‎privileges ‎and ‎compromising ‎additional‏ ‎systems.‏ ‎This ‎can‏ ‎lead ‎to‏ ‎a ‎widespread ‎compromise ‎of ‎the‏ ‎network,‏ ‎making‏ ‎it ‎difficult‏ ‎for ‎organizations‏ ‎to ‎contain‏ ‎the‏ ‎attack.

📌Real-World ‎Examples‏ ‎and ‎Case ‎Studies: ‎The ‎BlackCat‏ ‎ransomware ‎attack‏ ‎is‏ ‎a ‎notable ‎example‏ ‎where ‎attackers‏ ‎used ‎LSASS ‎memory ‎dumping‏ ‎to‏ ‎extract ‎credentials.‏ ‎They ‎modified‏ ‎the ‎WDigest ‎configuration ‎to ‎read‏ ‎user‏ ‎account ‎passwords‏ ‎and ‎used‏ ‎tools ‎like ‎Mimikatz ‎to ‎perform‏ ‎the‏ ‎dump,‏ ‎enabling ‎them‏ ‎to ‎gain‏ ‎further ‎access‏ ‎and‏ ‎move ‎laterally‏ ‎within ‎the ‎network.