Full Report
While doing an internal assessment, I was able to compromise multiple computers and servers but wasn’t able to dump the LSA secrets because of a particular EDR being installed and pretty aggressive against me.
Analysis Summary
# Tool/Technique: NetExec (LSA Secrets Dumping via SMB)
## Overview
NetExec is a tool used for performing various network tasks, including the dumping of LSA secrets and the SAM database from remote systems, typically via the SMB protocol. The technique involves remotely saving sensitive registry hives (SAM, SECURITY, SYSTEM) containing credentials and encryption keys.
## Technical Details
- Type: Tool
- Platform: Windows
- Capabilities: Remote dumping of SAM, SECURITY, and SYSTEM registry hives for credential extraction (NT hashes, LSA secrets).
- First Seen: Context does not specify the first public sighting, but it relies on standard remote registry operations.
## MITRE ATT&CK Mapping
When used for remote LSA/SAM dumping via SMB:
- T1003 - OS Credential Dumping
- T1003.001 - LSASS Memory
- T1003.002 - Security Account Manager
- T1589 - Gather Victim Identity Information
- T1589.002 - Domain Accounts (Indirectly, by obtaining secrets to decrypt credentials)
## Functionality
### Core Capabilities
- **Remote Registry Hive Dumping**: Utilizes `nxc smb` commands to interface with the remote system's SMB share and execute remote registry saving operations via the `RegSaveKeyExW` WinAPI function to dump `HKLM\SAM`, `HKLM\SECURITY`, and `HKLM\SYSTEM`.
- **Credential Extraction**: The dumped hives (especially SECURITY and SYSTEM) are processed using Impacket's secretsdump library to extract LSA secrets and SAM hashes.
### Advanced Features
- **Use of Secretsdump Library**: NetExec leverages the secretsdump functionality (likely via Impacket) to process the saved hive files offline or remotely.
- **Detection Evasion Focus**: The article focuses heavily on how EDRs detect the correlated actions of this tool but also discusses bypassing these detections through decorrelation.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: Registry hives dumped to the remote host's Temp directory using an 8-character random string followed by `.tmp` (e.g., `[RANDOM8].tmp`).
- Registry Keys: Interaction with `HKLM\SAM`, `HKLM\SECURITY`, and `HKLM\SYSTEM`.
- Network Indicators: RPC connection attempts, and SMB connections targeting administrative shares.
- Behavioral Indicators:
1. Enabling the Remote Registry service.
2. Saving multiple sensitive registry hives sequentially.
3. Remote download of the saved temporary hive files.
4. Direct calls (or calls by `reg.exe`) to the `RegSaveKeyExW` WinAPI function.
## Associated Threat Actors
- Threat actors who utilize common red teaming/pentesting toolsets involving Impacket-based utilities. (Specific named actors are not mentioned in the context).
## Detection Methods
- Signature-based detection: Blocking the string "reg save HKLM\SAM" in process command lines.
- Behavioral detection: Correlating sequence of actions: RPC connection -> Registry Service activity -> File creation in Temp -> Remote file transfer.
- Hooking: EDRs hook the `RegSaveKeyExW` function to block the write operation directly.
## Mitigation Strategies
- **EDR/AV Configuration**: Configure aggressive monitoring/blocking against the execution of `reg save` combined with sensitive hive paths.
- **Process Protection**: Protect access to the `HKLM\{SAM, SECURITY, SYSTEM}` registry hives, potentially by monitoring or hooking `RegSaveKeyExW`.
- **Defense-in-Depth (Decorrelation Bypass)**: Focus on blocking the *intent* rather than the tool. Detection should focus on necessary sub-steps:
1. Monitoring registry key class queries necessary to derive the Boot Key or decrypt data.
2. Monitoring `reg export` only if performed on sensitive keys, though this is considered noisy.
## Related Tools/Techniques
- `reg.exe` (used for local hive dumping via `reg save`, also blocked by EDR in the scenario).
- Secretsdump (part of Impacket, used internally by NetExec for processing hives).
- Techniques involving direct LSASS memory dumping (common malware technique that the EDR likely blocks).
- **Decorrelation attacks**: A method to bypass EDRs by breaking a complex attack sequence into several isolated, mundane steps performed by different binaries or manual operations (e.g., using `reg export` followed by offline decryption).
---
# Technique: Decorrelated LSA Secret Dumping / Dual-Use Binary Evasion
## Overview
This technique involves breaking down a high-fidelity detection target (like a single tool attempting to dump critical secrets) into multiple, less suspicious, smaller operations to bypass security tooling like EDRs that rely on monitoring complete attack chains or specific binary signatures.
## Technical Details
- Type: Technique (Adversarial TTP)
- Platform: Windows
- Capabilities: Circumventing EDRs that look for correlated high-risk actions by spreading the stages of an attack (e.g., credential dumping) across different tools or manual steps.
- First Seen: Not explicitly defined, but described as a technique used "a lot in the last couple of years."
## MITRE ATT&CK Mapping
- T1564.003 - Hide Artifacts: File Deletion (If related to cleanup/hiding components)
- T1055 - Process Injection (Often used in advanced decorrelation, though not the primary focus here, which uses file operations)
- T1003 - OS Credential Dumping (By enabling the successful execution of standard dumping steps)
## Functionality
### Core Capabilities
- **Breaking Down the Attack Chain**: Separating LSA secret extraction into distinct, non-correlated phases: 1) Boot Key Retrieval, 2) Hive Export (`reg export`), and 3) Offline Decryption.
- **Minimizing Local Artifacts**: Performing cryptographic decryption operations on an attacker-controlled machine rather than the target, reducing on-host suspicious activity.
### Advanced Features
- **Exploiting Legitimate Tools**: Utilizing the non-blocking `reg export` command instead of `reg save` to retrieve hive contents in a readable text format.
- **Format Conversion**: Converting the text-based output from `reg export` files (which secretsdump rejects) into the binary format required by dumping tools by importing them into a controlled VM and running `reg save`.
- **Minimal Binary Footprint**: Stripping offensive binaries of unnecessary strings or code to reduce the likelihood of static or behavior-based detection.
## Indicators of Compromise
- File Hashes: [Not applicable—focus is on methodology]
- File Names: Use of standard utilities like `reg.exe`, PowerShell, along with files resulting from `reg export` (`.reg` files).
- Registry Keys: Not directly applicable, as the goal is to avoid monitoring standard registry writes/saves.
- Network Indicators: Exfiltration of registry text exports followed by decryption offline.
- Behavioral Indicators:
- Sequence of: Registry read/export operations $\rightarrow$ Data exfiltration $\rightarrow$ Offline processing.
- Execution of PowerShell scripts designed solely for modifying `HKLM` references in exported `.reg` files to `HKCU\HELLO` for re-importation.
## Associated Threat Actors
- Sophisticated threat actors or penetration testers who encounter mature EDR defenses.
## Detection Methods
- **Holistic Analysis**: Detection must rely on deep understanding of the goal state (credential access) and correlate seemingly benign actions across time and systems.
- **Monitoring `reg export` on Sensitive Keys**: While noisy, monitoring `reg export HKLM\SAM` or similar operations can flag suspicious data staging.
- **Behavioral Sequencing**: Establishing baselines for normal administrative activity and flagging deviations, such as retrieving multiple core system hives via any means over a short period.
## Mitigation Strategies
- **Behavioral Detection Models**: Implementing models that correlate low-fidelity events (like `reg export`) when they are followed by network connections indicative of staging/exfiltration.
- **Principle of Least Privilege**: Ensure service accounts and local user accounts have restricted registry access, although highly privileged administrators or system processes usually have full rights to these hives.
- **Security Tool Visibility**: Ensure EDR drivers are monitoring all necessary WinAPI calls related to registry manipulation and process execution, even when using legitimate binaries like `reg.exe`.
## Related Tools/Techniques
- `reg.exe` (used via `reg export` command).
- Secretsdump (used offline).
- DPAPI Secret Dumping (mentioned as another target for this evasion technique).