September 8, 2022 HAWKEYE

Tools Used for Dumping of RDPCreds via comsvcs.dll

Remote Desktop Protocol (RDP) is commonly used by administrators to manage Windows environments remotely. It is also typical for RDP to be enabled in systems that act as a jumpstation to enable users to reach other networks.

Background

Despite the fact that this protocol is widely used, it is frequently not hardened or monitored properly. From the attacker’s perspective dumping credentials from the lsass process can lead either to lateral movement across the network or directly to full domain compromise if credentials for the domain admin account have been stored.

As we saw in our previous blog, the Local Security Authority Subsystem Service (LSASS) is the Microsoft Windows process that handles all user authentication, password changes, access token creation, and security policy enforcement. It stores a variety of hashed passwords and, in some cases, plaintext user passwords. Because it contains valuable data such as encrypted passwords, NT hashes, LM hashes, and Kerberos tickets that can be used for privilege escalation, data theft, and lateral movement, LSASS is a lucrative target for adversaries.

Dumping via comsvcs.dll

The “comsvcs.dll” can be found in every Windows system and has an export called minidump that can be used to dump processes by their PID. This is also a very popular choice among malware authors. The command line should be written in the following way:

rundll32.exe comsvcs.dll MiniDump <lsass PID> <out path> full

It is a stealthy method to dump Lssas credentials as it uses legitimate DLL to perform the task

Lsassy

Apart from the manual method mentioned above, Lssasy is a python tool that has the capability to automate the process of dumping LSASS from the memory. By default, it uses the comsvcs.dll minidump function to dump the credentials from the memory.  This method can only be used when the context has SeDebugPrivilege. This privilege is either in Powershell local admin context or the cmd.exe SYSTEM context. The command line for dumping credentials using Lssasy is,

lsassy [–hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target>

Detection Techniques

To detect the dumping of LSASS credentials through this technique, we can monitor for the execution of a process that seems to be rundll32.exe along with a command line containing the term MiniDump.

process == rundll32.exe
&&
command_line_includes (‘MiniDump’)

Another way to detect adversaries abusing LSASS is to understand what tools or processes routinely access LSASS Memory for legitimate reasons and then build detection logic for anything that deviates from that. The following is a generic example of a detection opportunity built around obviously suspicious cross-process events.

process == (‘powershell.exe’ || ‘taskmgr.exe’ || ‘rundll32.exe’ || ‘procdump.exe’ || ‘procexp.exe’ || [other native processes that don’t normally access LSASS])
&&
cross_process_handle_to (‘lsass.exe’)

Apart from these detection techniques, here are a few telemetries for monitoring:

  • Process monitoring: Process monitoring can be helpful for monitoring the rundll32.exe process whenever it starts. EDR, Sysmon Event IDs 1 and 10, and Windows Event ID 4688 should collect relevant telemetry.
  • Command monitoring:  Command-line logging will capture the context of what is executed. EDR, Sysmon Event ID 1, and Windows Event ID 4688 should collect relevant telemetry.
  • Module monitoring: This can help in monitoring loading of comsvcs.dll via rundll32.exe process. EDR and Sysmon Event ID 7 should collect relevant telemetry.
  • File monitoring: File monitoring can help in monitoring the write operation for of the dump file C:\Windows\Temp\lsass.dmp.

Splunk query for detection

name: Dump LSASS via comsvcs DLL
id: 8943b567-f14d-4ee8-a0bb-2121d4ce3184
version: 2
date: ‘2020-02-21’
author: Patrick Bareiss, Splunk
type: TTP
datamodel:
– Endpoint
description: Detect the usage of comsvcs.dll for dumping the lsass process.
search: ‘| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll*
Processes.process=*MiniDump* by Processes.user Processes.process_name Processes.original_file_name
Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`’
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
endpoint product.
known_false_positives: None identified.
references:
– https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
– https://twitter.com/SBousseaden/status/1167417096374050817
tags:
analytic_story:
– Credential Dumping
– Suspicious Rundll32 Activity
– HAFNIUM Group
– Living Off The Land
– Industroyer2
asset_type: Endpoint
cis20:
– CIS 3
– CIS 5
– CIS 16
confidence: 100
context:
– Source:Endpoint
– Stage:Credential Access
dataset:
– https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques
/T1003.001/atomic_red_team/windows-sysmon.log
impact: 80
kill_chain_phases:
– Actions on Objectives
message: An instance of $parent_process_name$ spawning $process_name$ was identified
accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$.
mitre_attack_id:
– T1003.001
– T1003
nist:
– DE.CM
observable:
– name: user
type: User
role:
– Victim
– name: dest
type: Hostname
role:
– Victim
– name: parent_process_name
type: Process
role:
– Parent Process
– name: process_name
type: Process
role:
– Child Process
product:
– Splunk Enterprise
– Splunk Enterprise Security
– Splunk Cloud
required_fields:
– _time
– Processes.dest
– Processes.user
– Processes.parent_process_name
– Processes.parent_process
– Processes.original_file_name
– Processes.process_name
– Processes.process
– Processes.process_id
– Processes.parent_process_path
– Processes.process_path
– Processes.parent_process_id
risk_score: 80
security_domain: endpoint
supported_tas:
– Splunk_TA_microsoft_sysmon

Sigma rule for detection and prevention

title: Lsass Memory Dump via Comsvcs DLL
id: a49fa4d5-11db-418c-8473-1e014a8dd462
description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
status: experimental
date: 2020/10/20
modified: 2021/06/21
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
– attack.credential_access
– attack.t1003.001
references:
– https://twitter.com/shantanukhande/status/1229348874298388484
– https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: ‘\lsass.exe’
SourceImage: ‘C:\Windows\System32\rundll32.exe’
CallTrace|contains: ‘comsvcs.dll’
condition: selection
falsepositives:
– Unknown
level: critical;.

Tagged: , , , , ,


CONTACT US

We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.