Class: HackTool
HackTool programs are used to create new users in the list of permitted system visitors, and to delete information from system logs in order to hide the malicious user’s presence on the system. These programs are also used to analyze and collect network packets to carry out specific malicious actions. Malicious users employ HackTool programs when setting up attacks on local or remote computers.Read more
Platform: MSIL
The Common Intermediate Language (formerly known as Microsoft Intermediate Language, or MSIL) is an intermediate language developed by Microsoft for the .NET Framework. CIL code is generated by all Microsoft .NET compilers in Microsoft Visual Studio (Visual Basic .NET, Visual C++, Visual C#, and others).Family: MDWD
No family descriptionExamples
DC7C0B2681CDCE6BE215EDC2C12D0F80A6F94C405F22E2E91609BD5EB5D907E7
B6958DA2F12E2F1CAC1DD0690C3730E2
7A834876E29415608CE259CC45B46118
FCBD706F6D8584E2349191A8E3512001
Tactics and Techniques: Mitre*
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
* procdump -ma lsass.exe lsass_dump
Locally, mimikatz can be run using:
* sekurlsa::Minidump lsassdump.dmp
* sekurlsa::logonPasswords
Built-in Windows tools such as comsvcs.dll can also be used:
* rundll32.exe C:WindowsSystem32comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user’s Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLMSYSTEMCurrentControlSetControlLsaSecurity Packages and HKLMSYSTEMCurrentControlSetControlLsaOSConfigSecurity Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
* procdump -ma lsass.exe lsass_dump
Locally, mimikatz can be run using:
* sekurlsa::Minidump lsassdump.dmp
* sekurlsa::logonPasswords
Built-in Windows tools such as comsvcs.dll can also be used:
* rundll32.exe C:WindowsSystem32comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user’s Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLMSYSTEMCurrentControlSetControlLsaSecurity Packages and HKLMSYSTEMCurrentControlSetControlLsaOSConfigSecurity Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
* © 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.