sfapm - EvanMcBroom/lsa-whisperer GitHub Wiki

Secret Filter AP

Sfapm is the "Web Defense" authentication package (AP) and security package (SP), available on NT 10 19045 and above. Sfapm is a part of Microsoft’s WebThreatDefense technology and is documented as the Enhanced Phishing Protection in Microsoft Defender SmartScreen. The main purpose of sfapm is to monitor user activity to identify if a user typed or copied their password into an application. It has a complementary DLL, named sfape.dll, which is likely used to support running the package in a VBS enclave. Microsoft does not publish symbols for the current release of sfapm, but symbols are at least published for file version 1.0 for NT 10 14983 (e.g., "WinBuild.160101-0800").

Functions

Although the package does implement the CallPackage, CallPackageUntrusted, and CallPackagePassthrough functions, they do not implement any internal message protocol. They are only implemented to log their invocations. As such, supporting an sfapm package call is not currently planned for LSA Whisperer.

SP Functions

Although LSA Whisperer focuses on the AP functionality of an SSP, the SP portion of sfapm is documented here as a convenience for readers. Sfapm implements multiple SP APIs, but it does not implement any security protocol. Similar to the AP APIs that sfapm implements, sfapm implements multiple SP APIs but only to log when they are invoked.

SpAcceptCredentials

Rudimentary logging is implemented in all of sfapm’s SP APIs, but additional work is performed for its implementation of SpAcceptCredentials. An SP’s SpAcceptCredentials API is invoked by LSASS when a user logs on to allow the package to create a new logon session for the user. Sfapm’s implementation of SpAcceptCredentials will check if the logon ID is SYSTEM (e.g., 0x3e7) or if its a network logon. If neither is true, sfapm will additionally log the LogonType, AccountName, and PrimaryCredentials parameters that are passed to the function.

RPC Servers

Sfapm implements two RPC servers that may be of interest to readers and as such are documented here. These servers are used to monitor logon requests, clipboard activity, and keystroke input for all user sessions. If Credential Isolation is not enabled, sfapm will initialize these RPC servers when it is loaded into LSASS during startup. If either the following Windows features are enabled, sfapm will additionally load the SFAPE.dll module through sfapm!LoadEnclaveImage:

  • Virtual-based Security (VBS) is enabled

  • The ProcessRedirectionTrustPolicy mitigation is enabled for LSASS

Table 1. Sfapm RPC Interfaces
Description Name UUID (Version)

IM RPC Protocol

imsfk

36cc8d98-6e89-4325-bb5e-1c70f13a2981 (1.0)

Clip Board RPC protocol

clipsfk

cf148a37-dacc-4183-afcf-77307190be06 (1.0)

Imsfk

Table 2. Imsfk Operations
Opnum Operation

0x0

SFRCharactersInput

0x1

SfapRPCCtxClose

0x2

SfaRPCtxOpen

0x3

SfapRpcQueueStateUpdateRequest

SFRCharactersInput

Function is called everytime a user provides keyboard input to capture the input. The input is used to identify if a user typed a password, similar to what is described in the SFRClipboardInput operation for clipsfk.

Clipsfk

Table 3. Clipsfk Operations
Opnum Operation

0x0

SFRClipboardInput

SFRClipboardInput

The RPC function is invoked everytime when a user performs a copy or paste action. The function captures the copied or pasted buffer of data and determines if the buffer potentially contains a password based on the length of the buffer. If it believes it contains a password, it will derive a key from the buffer using BCryptHash and BCryptDeriveKeyPBKDF2. It will then compare the result with a hash of the user’s currently stored credential which is stored by LSASS. If the derived keys matche, sfapm will send an ETW message using the WTDS Provider.

⚠️ **GitHub.com Fallback** ⚠️