Be better than yesterday –

In this video, we explore the importance of dumping the LSASS.exe process memory for credentials harvesting.

The video provides an introduction to LSASS.exe process memory dumping in order to understand why this technique is critical and essential for an adversary when it comes to the cyber kill chain – lateral movement life cycle.

The video then provides some examples on how we can dump the LSASS.exe process memory, which all of the techniques were detected and prevented by Microsoft Windows Defender.

Following which, a short introduction on Beacon Object Files (BOF) was provided and a practical hands-on demonstration was shown on how to utilise a publicly available BOF loader tool, COFFLoader.exe by TrustedSec, in order to execute the Nanodump BOF (.o) file.

Ultimately, it was possible to successfully dump the LSASS.exe process memory, bypassing the latest Windows Defender running on a Windows 11 fully updated machine.

Stay connected:
Twitter: https://twitter.com/gemini_security
Udemy: https://www.udemy.com/user/gemini-88/
Github: https://github.com/gemini-security
Discord: https://discord.gg/u9Qxxbamke

References used:
BOF Introduction by Authors of Cobalt Strike:
https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-object-files_main.htm

MITRE ATTACK on LSASS Dumping:
https://attack.mitre.org/techniques/T1003/001/

TrustedSec’s Articles on BOF:
https://www.trustedsec.com/blog/coffloader-building-your-own-in-memory-loader-or-how-to-run-bofs/
https://www.trustedsec.com/blog/operators-guide-to-the-meterpreter-bofloader/

COFFLoader and Nanodump:
https://github.com/trustedsec/COFFLoader
https://github.com/fortra/nanodump

Gemini Security Awesome Hacking T-Shirts – Support the channel:
https://www.redbubble.com/people/GeminiSecurity/shop?asc=u

Please take the opportunity to connect and share this video with your friends and family if you find it useful.