LSASS. Archives

Tech Optimizer

October 20, 2025

New DefenderWrite Tool Allows Attackers to Inject Malicious DLLs into AV Executable Folders

DefenderWrite is a new tool that uses whitelisted Windows programs to bypass antivirus protections and write files into executable folders. Developed by cybersecurity expert Two Seven One Three, it allows penetration testers to deploy payloads in secure locations without needing kernel-level access. The tool identifies whitelisted system programs, enabling attackers to inject malicious DLLs into antivirus folders. In tests on Windows 11 with Microsoft Defender, four vulnerable programs were identified: msiexec.exe, Register-CimProvider.exe, svchost.exe, and lsass.exe. DefenderWrite includes parameters for targeted operations and a PowerShell script for scanning executables. It highlights the need for antivirus vendors to improve their whitelisting policies and process isolation. The tool is publicly available, raising concerns about its potential use in real-world attacks.

Tech Optimizer

September 21, 2025

New EDR-Freeze Tool That Puts EDRs and Antivirus Into A Coma State

EDR-Freeze is a proof-of-concept tool developed by Zero Salarium that can place Endpoint Detection and Response (EDR) and antivirus solutions into a suspended state. It utilizes the MiniDumpWriteDump function from the Windows DbgHelp library to achieve this by extending the suspension of target processes. The tool circumvents the Protected Process Light (PPL) security feature using WerFaultSecure.exe, which operates at a high privilege level. By launching WerFaultSecure.exe with specific parameters, EDR-Freeze can monitor and suspend it, preventing the target EDR or antivirus process from resuming. A test on Windows 11 24H2 successfully suspended the MsMpEng.exe process of Windows Defender. Detecting this technique involves monitoring for unusual executions of WerFaultSecure.exe targeting sensitive process IDs.

Winsage

August 23, 2025

Hackers Can Exfiltrate Windows Secrets and Credentials Silently by Evading EDR Detection

A new method allows attackers to extract Windows secrets and credentials without being detected by most Endpoint Detection and Response (EDR) solutions. This technique enables individuals with access to a Windows machine to gather credentials for lateral movement within a network. The Local Security Authority (LSA) manages sensitive information through two in-memory databases: the SAM database, which stores user credentials, and the Security database, which holds LSA secrets. Access to these databases requires interaction with the SAM and SECURITY registry hives, protected by Discretionary Access Control Lists (DACLs) that limit access to SYSTEM privileges. Attackers typically face detection when accessing the lsass.exe process memory, as EDR solutions monitor high-risk activities. Researcher Sud0Ru has introduced a method that bypasses these defenses by using the undocumented API NtOpenKeyEx with the REGOPTIONBACKUPRESTORE flag, allowing attackers to read the SAM and SECURITY hives without SYSTEM-level privileges. To avoid detection, attackers use the RegQueryMultipleValuesW API, which is less monitored by EDRs, to extract encrypted secrets from the hives. This approach allows the operation to occur entirely in memory, leaving no on-disk artifacts and evading typical security alerts.

Winsage

May 21, 2025

Windows 10’s latest update packs a nasty bug, and while your system might be safe, it’s vital you check now

Windows 10 users are experiencing issues with the May update, which has a bug affecting business laptops with Intel vPro processors. This bug can cause update installation failures and repeated automatic repair attempts. Microsoft has released an emergency fix, KB5061768, which users should apply before installing the May update. The problem stems from the termination of the lsass.exe service, leading to automatic repair failures and potential lockouts for users with Device Encryption or BitLocker. To recover, users may need to disable Intel Trusted Execution Technology (TXT) and Intel VT for Direct I/O in BIOS settings, which typically requires the BitLocker recovery key. A workaround allows users to disable Intel TXT without changing Intel VT settings. Users can access BIOS by pressing keys like F2, F10, or F12 during startup, navigate to the Intel TXT setting, disable it, and then restart their PC to install the emergency patch. It is recommended to install the emergency fix before downloading the May update. Similar bugs have occurred in previous updates for Windows 10 and 11. Windows 11 users should note that a clean install of version 24H2 automatically applies Device Encryption, which requires careful management of Microsoft account credentials for recovery keys.

Winsage

May 19, 2025

Latest patch puts some Windows 10 machines in recovery loops

Many users are experiencing issues with Windows 10 versions 22H2 and Windows 10 Enterprise LTSC 2021, particularly those with Intel Trusted Execution Technology (TXT) on tenth-generation or later Intel processors with vPro support. Users who have BitLocker enabled and installed the KB5058379 patch released on May 13 may need their BitLocker recovery keys due to a bug causing lsass.exe to terminate unexpectedly, leading to an Automatic Repair cycle or a reboot loop. Microsoft has acknowledged the issue and is working on an Out-of-band update. Meanwhile, workarounds, such as disabling TXT, pose security risks. Microsoft also announced significant layoffs affecting thousands of employees.

Winsage

April 23, 2025

Announcing Windows 11 Insider Preview Build 27842 (Canary Channel)

Windows 11 Insider Preview Build 27842 has been released to the Canary Channel. There are no plans to release SDKs for the 27xxx series builds. Changes include: - Temporary disappearance of enhanced battery iconography. - A new user interface for unexpected restarts is being previewed, appearing as a “green screen” for Insiders on version 24H2 and higher. - The Windows Security app will display additional details about Pluton TPM chips under Device security. Fixes include: - Resolved issues with Windows Update toggle, high CPU usage by lsass.exe, and crashes in ctfmon.exe and DWM. - Improved reliability of explorer.exe and fixed display issues with external graphics cards and JPG images. - Corrected problems with the Smart App Control icon and the Run dialog autocomplete. Known issues include: - Users on new Copilot+ PCs may lose access to Windows Hello PIN and biometrics. - Night light functionality is not working for some Insiders. - Bugcheck issues when using Xbox Controllers via Bluetooth. Insiders in the Canary Channel should note that builds may evolve and features may be removed or never reach general release. A clean installation of Windows 11 is required to exit the Canary Channel.

Winsage

April 9, 2025

Exploitation of CLFS zero-day leads to ransomware activity

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824. This vulnerability has been exploited by the PipeMagic malware, attributed to the group Storm-2460, affecting organizations in various sectors across the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft released security updates on April 8, 2025, to address this vulnerability. The exploit allows attackers with standard user privileges to escalate their access, and it was executed from a dllhost.exe process. The exploit utilizes memory corruption techniques and the RtlSetAllBits API to gain all privileges and inject processes into SYSTEM processes. Post-exploitation, the attackers injected a payload into winlogon.exe, leading to ransomware activity characterized by file encryption and the creation of ransom notes. Indicators of compromise include the creation of a CLFS BLF file at C:ProgramDataSkyPDFPDUDrv.blf, command lines associated with ransomware activities, and specific domains linked to PipeMagic. Microsoft advises applying security updates promptly and recommends strategies for mitigating ransomware threats, including enabling cloud-delivered protection and utilizing device discovery.

Winsage

June 13, 2024

Microsoft brings new features to Windows 10 with KB5039211 update

Microsoft has released the KB5039211 update for Windows 10, which includes fixes for lsass.exe memory leak issues and new features such as an updated Snipping Tool.

Winsage

June 13, 2024

Microsoft Rolls Out Security-Focused Windows 10 Update

Microsoft has released a cumulative update, KB5039212, for Windows 10 users to enhance security and address multiple vulnerabilities.

Winsage

June 12, 2024

Windows 10 KB5039211 adds a new feature (direct download links)

- KB5039211 offline installer can be downloaded from a specific link. - New feature allows managing Android device screenshots on Windows 10 PC using Snipping Tool. - Bug fixes include lsass.exe process issues and USB controller share button problem. - Known issues include problems with Copilot, Profile picture bug, and DHCP Option 235.