I. LEAD-IN
As we know, after an attacker gains control of a machine on the network, the
most common action they take is to find a way to dump the cached passwords on
the current machine to use them for lateral movement.
The program that holds the cached passwords on Windows is “LSASS.EXE“.
Because dumping the LSA process is becoming increasingly common, Windows is
also becoming more restrictive in allowing you to extract the memory area of
this process.
On modern versions of Windows, LSASS is protected by PPL (Protected
Process Light). This means that regardless of your permissions, you cannot
interact with the memory area of this process unless you have kernel
privileges or are also a process protected by PPL.
In this article, I will exploit a tool from an older version of Windows,
WerFaultSecure.exe, to steal the memory area of the LSA process on the
latest version of Windows 11 at the time of publication.
Find me on X to get the latest pentest and red team tricks that I’ve been
researching: Two Seven One Three (@TwoSevenOneT) / X
II. MAIN SECTION
1. What is “WerFaultSecure.exe”?
WerFaultSecure.exe is a Windows system file that’s part of the
Windows Error Reporting (WER) service. Just like its sibling
WerFault.exe, it helps collect and report crash data when applications
or system processes fail.
The “Secure” part of its name indicates it handles these reports from
protected processes and encrypts the data before writing it to disk.
When WerFaultSecure.exe is executed, this program always has PPL
(Protected Process Light) protection at the highest level: WinTCB
2. The Idea Of Exploiting Werfaultsecure.Exe To Steal The Memory
Area Of The LSA Process
Because the LSA process is protected by PPL, only processes with the same
PPL level or higher can access its memory area.
WerFaultSecure.exe was created for the purpose of collecting crash
dumps of PPL processes when exceptions occur with these processes. This is why
WerFaultSecure.exe always has a PPL protection level of WinTCB,
the highest level.
The issue is that WerFaultSecure.exe will encrypt the dump file written
to the disk. While browsing the Internet, I found a study on a vulnerability
in WerFaultSecure.exe in the Windows 8.1 version (
UNREAL MODE: BREAKING PROTECTED PROCESSES
). Therefore, I will try to use the vulnerable WerFaultSecure.exe from
Windows 8.1 to run on the experimental Windows 11 version.
In fact, the author of the research also created a proof of concept at that
time, but I couldn’t find it on the Internet and I’m not sure if it can be
executed on the current version of Windows.
In the research, it was found that WerFaultSecure.exe has a
vulnerability that allows it to write unencrypted crash dump files to the
disk. We will exploit this vulnerability.
3. Undocumented Parameters Of Werfaultsecure.Exe
After reviewing the research mentioned above and combining it with some
tedious reverse engineering, along with getting lost in the kernel debug
matrix, I was able to run WerFaultSecure.exe to dump the process with the
following parameters:
- /h: To trigger secure dump mode hidden function
- /pid [pid]: Process ID to dump.
- /tid [tid]: Main thread of the process to dump.
- /file [handle]: Unencrypted crash dump file handle.
- /encfile [handle]: Encrypted crash dump file.
- /cancel [handle]: Cancel event.
- /type [flags]: MIMDUMPTYPE flags.
Although this parameter method can be reverse-engineered, it still needs to
be used correctly to satisfy the peculiar parsing of WerFaultSecure.exe’s
parameters.
4. Exploiting Werfaultsecure.exe To Dump LSASS
I will experiment on Windows 11 24H2 OS Build 26100.6584 with the
latest patches available at this time.
After gathering all the necessary information, I will proceed to exploit
WerFaultSecure.exe to steal the valuable memory area of LSASS by copy
the older version of WerFaultSecure.exe to the machine that needs to be
dumped and use a loader to activate it for dumping the LSA memory area.
The loader is named “WSASS“, and you can download it at the following
link:
https://github.com/TwoSevenOneT/WSASS
The loader performs the following tasks:
-
Use the
CreateProcessAsPPL
tool’s function to run WerFaultSecure.exe with PPL protection at the
WinTCB level. -
Wait for WerFaultSecure.exe to complete, then replace the magic
header of the dump file with the PNG magic header to prevent the antivirus
from deleting the file. -
Occasionally, LSASS.exe may be put into a suspended state by
WerFaultSecure.exe. The loader will interact with LSASS using the
minimum PROCESS_SUSPEND_RESUME rights to restore it to normal
operation.
Prepare the parameters for WerFaultSecure.exe as follows:
-
The files and event handles and MIMDUMPTYPE flags
must be converted to decimal format. - Files and events must be created with inheritance set to TRUE.
-
When running WerFaultSecure.exe, the CreateProcessW function
must have bInheritHandles set to TRUE.
After running, you can take the file “proc.png” located in the same
folder as WSASS.exe and restore the first 4 bytes to the values {0x4D, 0x44, 0x4D, 0x50} (“MDMP“). After that, you can use it as a regular
MINIDUMP file.
At this point, you can continue the lateral movement activities using the
passwords obtained from the dump file.
III. SUMMARY
Windows versions generally have very good compatibility with each other, so
a tool available on a lower version of Windows is likely to work on higher
versions as well.
version, along with the ability to actively run a process with PPL
protection through the
CreateProcessAsPPL
tool, we can steal the protected memory area of LSASS.
WSASS
tool is an offensive tool designed to exploit the vulnerability in
WerFaultSecure.exe to dump the memory area of LSA.
We can prevent the exploitation of this vulnerability by monitoring the
image file location of the WerFaultSecure.exe process. If it is
located outside of System32, there is a high likelihood that it is
malicious.
