LsassHijackingViaReg

Loading a DLL into LSASS at boot, providing persistence.

How?

1. Lsass.exe is found to be reading two registry keys at startup to load DLLs from the System32 directory. These keys are:

• Extension under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\Interfaces\1001 to read lsasrv.dll.

• Extension under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\Interfaces\1002 to read dpapisrv.dll.

2. We constructed a program that elevates to TrustedInstaller to edit one of these registry keys, replacing the original DLL name with ours.

Note

• The same program disables PPL to load an unsigned DLL into LSASS. Otherwise, we will get stuck in a boot loop, because Lsass will crash before startup (due to having an unsigned DLL loaded). One can get around this by loading a signed but vulnerable DLL and exploiting it later (BYOVDLL - Bring Your Own Vulnerable DLL).
• We are replacing the dpapisrv.dll DLL instead of the lsasrv.dll DLL, because the latter DLL has far more exported variables/functions, which make proxying such DLL less stable (for comparison, dpapisrv.dll contains 2 exported functions only).

3. After the next system boot, our DLL (Dummy.dll) will be loaded into the Lsass.exe.

Quick Links

Maldev Academy Home

Maldev Academy Syllabus

Offensive Phishing Operations

Maldev Database