Bypass ASR Rule and Dump LSASS
Last updated
Was this helpful?
Last updated
Was this helpful?
In this article, I'll share my successful method for bypassing the "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" rule in Attack Surface Reduction (ASR), allowing me to dump the LSASS process. But before diving into the details, let me provide a brief introduction to ASR.
Attack Surface Reduction (ASR) is a set of rules designed to limit the effectiveness of common malware techniques. ASR is a key feature of Defender's Advanced Threat Protection, which can help detect and prevent targeted exploits. By restricting the ways in which attackers can infiltrate a system, ASR provides an additional layer of defense against cyber threats.
Attack surface reduction (ASR) rules target certain software behaviors, such as:
Launching executable files and scripts that attempt to download or run files.
Running obfuscated or otherwise suspicious scripts.
Block credential stealing from the Windows local security authority subsystem (lsass.exe).
Attack surface reduction features across Windows versions. You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows:
Windows 10 Pro, or later
Windows 10 Enterprise, or later
Windows Server, or later
Not configured or Disable: The state in which the ASR rule hasn't been enabled or has been disabled. The code for this state = 0.
Block: The state in which the ASR rule is enabled. The code for this state is 1.
Audit: The state in which the ASR rule is evaluated for the effect it would have on the organization or environment if enabled (set to block or warn). The code for this state is 2.
Warn The state in which the ASR rule is enabled and presents a notification to the end-user, but permits the end-user to bypass the block. The code for this state is 6.
This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS). For more information about others rules you can find it on Microsoft’s website.
Each rule has its own GUID. To enable this rule via Powershell by specifying the AttackSurfaceReductionRules_Actions as "Enable”:
As shown in the picture, the rule is enabled in Block mode.
Microsoft says: “This rule prevents untrusted processes from having direct access to LSASS memory. Whenever a process tries to use the OpenProcess() function to access LSASS, with an access right of PROCESS_VM_READ, the rule will specifically block that access right.” You may be wondering if there is such a thing as a trusted process, and the answer is yes.
If we can create a process as one of the processes in the list, we will be able to bypass the rule. So, say hello to Process Hollowing.
Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code.
By this technique, we can abuse the list of path exclusions from Windows defender, which gives us the advantage of dumping the LSASS process and bypassing the rule.
Let’s write our PoC. First, we need to create a process in a suspended state, and I will go with “WmiPrvSE.exe.”
After the new process is created, we need to inject the shellcode in the created process (WmiPrvSE.exe).
Finally, resume the thread to trigger our payload to dump the LSASS process.
Full C# code (PoC).
Like what you saw above, we successfully bypassed ASR by implementing the Process Hollowing technique.
However, it's important to note that there are other options available, and Cobalt Strike provides a convenient and efficient method for achieving similar results.
In fact, I went searching for some trusted processes or whitelisting options within Windows Defender, and I stumbled across the repository on GitHub. This repository contained a list of exclusion paths, which are considered to be trusted processes by Windows Defender.
