Announcement

Collapse
No announcement yet.

Asaf Gilboa and Ron Ben-Yitzhak - LSASS Shtinkering: Abusing Windows Error Reporting to Dump LSASS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Asaf Gilboa and Ron Ben-Yitzhak - LSASS Shtinkering: Abusing Windows Error Reporting to Dump LSASS

    Asaf Gilboa, Security Researcher, Deep Instinct
    Ron Ben-Yitzhak, Security Researcher, Deep Instinct

    Presentation Title: LSASS Shtinkering: Abusing Windows Error Reporting to Dump LSASS
    Length of presentation: 45 minutes
    Demo, Tool


    This presentation will show a new method of dumping LSASS that bypasses current EDR defenses without using a vulnerability but by abusing a built-in mechanism in the Windows environment which is the WER (Windows Error Reporting) service.

    WER is a built-in system in Windows designed to gather information about software crashes. One of its main features is producing a memory dump of crashing user-mode processes for further analysis.

    We will present in detail and demo a new attack vector for dumping LSASS, which we dubbed LSASS Shtinkering, by manually reporting an exception to WER on the LSASS process without crashing it. The technique can also be used to dump the memory of any other process of interest on the system.

    This attack can bypass defenses that wrongfully assume that a memory dump generated from the WER service is always a benign or non-attacker triggered activity.

    The talk will take the audience through the steps and approach of how we reverse-engineered the WER dumping process, the challenges we found along the way, as well as how we have managed to solve them.

    SPEAKER BIOS

    Asaf Gilboa and Ron Ben Yitzhak

    Asaf and Ron are Security Researchers at Deep Instinct where they both work on developing new defense capabilities based on research and understanding and novel attack techniques and vectors. After serving for several years in the advanced technological cyber units of the IDF, Asaf and Ron gained experience in the multiple aspects of technical cyber-security work including forensics, incident response, development, reverse engineering and malware research.
    Last edited by number6; 4 weeks ago.
Working...
X