{"id":31080174,"url":"https://github.com/compcode1/lsass-memory-scraping","last_synced_at":"2025-09-16T11:04:59.748Z","repository":{"id":290972089,"uuid":"976154792","full_name":"Compcode1/lsass-memory-scraping","owner":"Compcode1","description":"The case illustrates the power of structured host-based triage — beginning with logs and EDR, and moving through file inspection, RAM capture, and finally, network artifact confirmation.","archived":false,"fork":false,"pushed_at":"2025-05-01T16:55:07.000Z","size":41,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-01T17:25:35.937Z","etag":null,"topics":["credential-dumping","cybersecurity","cybersecurity-case-study","digital-forensics","edr-analysis","host-triage","lsass","memory-forensics","mimikatz","powershell-analysis","windows-forensics"],"latest_commit_sha":null,"homepage":"","language":"Jupyter Notebook","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Compcode1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-01T15:43:23.000Z","updated_at":"2025-05-01T17:08:06.000Z","dependencies_parsed_at":"2025-05-01T17:35:39.235Z","dependency_job_id":null,"html_url":"https://github.com/Compcode1/lsass-memory-scraping","commit_stats":null,"previous_names":["compcode1/lsass-memory-scraping"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Compcode1/lsass-memory-scraping","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Flsass-memory-scraping","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Flsass-memory-scraping/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Flsass-memory-scraping/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Flsass-memory-scraping/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Compcode1","download_url":"https://codeload.github.com/Compcode1/lsass-memory-scraping/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Flsass-memory-scraping/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275407963,"owners_count":25459380,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-16T02:00:10.229Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["credential-dumping","cybersecurity","cybersecurity-case-study","digital-forensics","edr-analysis","host-triage","lsass","memory-forensics","mimikatz","powershell-analysis","windows-forensics"],"created_at":"2025-09-16T11:02:26.995Z","updated_at":"2025-09-16T11:04:59.729Z","avatar_url":"https://github.com/Compcode1.png","language":"Jupyter Notebook","readme":"# 🧠 Host-Based Credential Dumping Case Study: LSASS Memory Scraping\n\nThis project analyzes a simulated host-based credential dumping attempt discovered via an anomalous process execution chain. Using Steven Tuschman’s **Cybersecurity Battlefield** framework and a six-layer Windows OS triage model, the investigation traces attacker behavior across system layers—culminating in the discovery of credential access from memory via LSASS.\n\n---\n\n## 🚨 Executive Summary\n\n- **Trigger**: EDR alert flagged abnormal execution: `explorer.exe → cmd.exe → powershell.exe` with base64-encoded script.\n- **Triage Method**: Full host-based forensic triage using logs, EDR, registry inspection, memory capture, and network review.\n- **Outcome**: Credential harvesting via PowerDump targeting `lsass.exe` confirmed in memory; local persistence and outbound beaconing also observed.\n\n---\n\n## 🧩 Battlefield Mapping\n\n| Battlefield Layer                  | Attack Surface Exploited                               |\n|-----------------------------------|--------------------------------------------------------|\n| **Layer 1: Process Execution**     | Obfuscated PowerShell launched from GUI shell → cmd    |\n| **Layer 2: Startup \u0026 Persistence** | Registry Run key \u0026 dropped binary (`svcupdate.exe`)    |\n| **Layer 3: Background Services**   | Validated service registry entries for tampering       |\n| **Layer 4: Credential Management** | Credential scraping via LSASS memory access (`PROCESS_VM_READ`) |\n| **Layer 5: Monitoring \u0026 Detection**| CrowdStrike Falcon EDR flagged abnormal parent-child chain |\n| **Layer 6: Network Communication** | HTTPS beaconing to `auth-verifier[.]net` over TLS      |\n\n---\n\n## 🔬 Key Investigation Steps\n\n### 1. **Windows Event Log Review**\n- `Event ID 4688`: Traced suspicious execution chain with `-enc` flag\n- `Event ID 4624`: Odd-hour interactive logon\n- `Event ID 13`: Registry key created pointing to dropped binary\n\n### 2. **EDR Telemetry Review (CrowdStrike)**\n- Parent-child execution tree validated\n- PowerShell memory handle to `lsass.exe` confirmed (`PROCESS_VM_READ`)\n- Obfuscated script decoded to known PowerDump credential tool\n\n### 3. **Registry \u0026 File Inspection**\n- Malicious file in `C:\\Users\\Public\\` (unsigned, unknown hash)\n- Persistence via `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`\n\n### 4. **Volatile Memory Capture**\n- Tool: Magnet RAM Capture → Volatility Framework\n- Retrieved PowerDump.ps1 script from memory\n- LSASS access confirmed, no rootkit behavior found\n\n### 5. **Network Artifact Review**\n- SWG \u0026 firewall logs showed outbound beaconing to:\n  - `auth-verifier[.]net` (new domain, self-signed TLS cert)\n  - IP: `94.130.10.42` on 90-second interval\n\n---\n\n## 🔐 Root Cause \u0026 Threat Model\n\n- Attacker operated entirely within GUI session — no phishing or exploit.\n- Local admin rights + unrestricted PowerShell enabled credential access.\n- Outbound firewall allowed TLS to untrusted domains.\n- PowerShell logging was disabled — reducing script visibility.\n\n---\n\n## ✅ Containment Actions\n\n- Host isolated via EDR\n- svcupdate.exe quarantined\n- Registry keys deleted\n- Memory dump preserved\n- Credentials rotated \u0026 sessions invalidated\n- IP/domain block applied in firewall\n\n---\n\n## 🧭 Lessons Learned\n\n- Remove local admin rights from standard users\n- Enable PowerShell script block logging\n- Block outbound TLS to unvetted domains\n- Enforce application allowlisting\n- Require MFA for local workstation logon\n\n---\n\n## 💡 Skills Demonstrated\n\n- Host-based forensic triage\n- EDR investigation and process chain analysis\n- Memory forensics (Volatility + Magnet RAM Capture)\n- Adversary behavior modeling using battlefield framework\n- Structured investigation documentation\n\n---\n\n## 📁 Repository Contents\n\n| File | Description |\n|------|-------------|\n| `ioc-lsass-memory-dump.ipynb` | Full triage workflow in Jupyter |\n| `memory_sample.vmem` | Captured RAM image (for Volatility) |\n| `decoded_script.ps1` | Recovered PowerDump credential script |\n| `eventlog_notes.txt` | Key event IDs and triage timeline |\n\n---\n\n## 🔗 Related Projects\n\n- [Splunk SwiftOnSecurity Visibility Upgrade](https://github.com/Compcode1/splunk-swift-detection)\n- [Insider Threat Simulation (PowerShell \u0026 Scheduled Tasks)](https://github.com/Compcode1/insider-threat-simulation-2)\n- [Credential Harvesting via PDF Redirect (IOC 11)](https://github.com/Compcode1/ioc11-credential-harvesting-pdf)\n\n---\n\n© 2025 Steven Tuschman – GitHub: [Compcode1](https://github.com/Compcode1)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompcode1%2Flsass-memory-scraping","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcompcode1%2Flsass-memory-scraping","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompcode1%2Flsass-memory-scraping/lists"}