Bits and Pieces of Cyber Security 🍪

  What is LSASS? The Local Security Authority Subsystem Service (LSASS)  running as lsass.exe on Windows is the guard at the gate of your system’s security. After you log in, LSASS holds your credential data in memory: things like Kerberos tickets, NTLM hashes, and sometimes even plaintext passwords . This makes it attractive for attackers looking to hijack sessions, move laterally, or escalate privileges. This covers the TTP of  TA0008 (Lateral Movement), TA0006 (Credential Access), TA0010 (Exfiltration). Sometimes its difficult to map to MITRE ATT&CK framework accurately as it gives a brief description of what the general outlook and goal of the adversary is trying to do. The real attack nature depends on what is being and accessed and the eventual goal and nature of the attack. Why Attackers Target LSASS Reading LSASS memory is like opening a treasure chest full of credentials. Tools such as Mimikatz , Procdump , Taskmgr , or even native system libraries like...

  What Is DLL Injection? From game injectors to malicious actors, at its core, DLL injection is a method attackers use to sneak malicious code into legitimate processes. Instead of launching a standalone malware process, they embed their code inside a trusted one, great for evading detection! One of the most common ways to do this on Windows is using a combination of: VirtualAllocEx WriteProcessMemory CreateRemoteThread LoadLibraryA Here’s how it works step by step: Step-by-step Injection Method: Create, Write, Load Pick a Target Process An attacker chooses a host process (e.g., svchost.exe), locates it via Windows APIs, and grabs a handle using  OpenProcess Get LoadLibraryA Address Since kernel32.dll is loaded in most Windows processes, locating the address for LoadLibraryA is easy—and crucial for the next step   Prepare the DLL Path The attacker allocates memory inside the victim process (VirtualAllocEx) and writes the path to their...