<— Back

Guard My Windows

The Windows LSA (Local Security Authority), responsible for user authentication and maintaining sensitive user data such as Windows logon passwords and access tokens, has always been the holy grail for exploitation in the hackers checklist for obvious reasons, and there has been much success in associated ventures to undermine it.

For example, recent user identity spoofing vulnerabilities reported in LSA, such as CVE-2022-26925 and CVE-2021-36942, allow attackers to authenticate to and own a Domain Controller (DC), compromising an entire organisation’s network by calling the LSARPC (LSA-Remote Procedure Call) interface function with strategic parameters set up. DC is a server which responds to authentication requests in a domain and typically controls access to various resources within an organisation’s LAN. Now, it turns out that CVE-2021-36942 was exploited by LockFile ransomware to allow it to push its payload to all networked clients using a compromised DC. 

Further, OS Credential Dumping has been a part of attacker TTPs for ages. It works by extracting credentials from the LSASS service in the form of NTLM (NT LAN Manager) and SHA hashes, and, in some cases, even clear text. Easy availability of offensive tools such as Mimikatz has made it simple for mere script kiddies to extract credentials from the LSA. 

Fortunately, of late, Microsoft has paid more attention towards these issues and has introduced features to mitigate such attacks against LSA. In addition to patching known vulnerabilities, other features introduced include Credential Guards – storing secrets in an isolated process supported by Virtualization Based Security, executing LSA as a protected process, and Attack Surface Reduction (ASR) rules. These features ensure that LSA and related processes execute with restricted privileges and prevent other processes from accessing the LSA. Nevertheless, despite these features in place, there yet exist ways to extract credential details even on Windows 11.

In this presentation, we shall deep dive into the Windows LSA service with a focus on its exploitation, past and present, using the modus operandi of password extraction tools, as well as our own demo exploitation of CVE-2022-26925 which leads to remote code execution. We will also explore the inner workings of recently introduced mitigations such as Credential Guard and ASR, and how they help to defend the critical LSA against exploitation and compromise.

Anurag Shandilya

Anurag Shandilya is the Assistant Vulnerability Research Manager at K7Computing’s Threat Control Lab. His areas of research include Windows and IoT vulnerabilities. He has 7+ years of experience in Vulnerability Research and Vulnerability Assessment and Penetration Testing (VAPT). He has presented at AVAR (2018, 2020 and 2021), VB (2019) and CARO (2020) and actively contributes to the K7 Computing blog. His other areas of interest include bug bounty and playing table tennis.