Remote Desktop Protocol (RDP) is commonly used by administrators to manage Windows environments remotely. It is also typical for RDP to be enabled in systems that act as a jumpstation to enable users to reach other networks.
Despite the fact that this protocol is widely used, it is frequently not hardened or monitored properly. From the attacker’s perspective dumping credentials from the lsass process can lead either to lateral movement across the network or directly to full domain compromise if credentials for the domain admin account have been stored.
As we saw in our previous blog, the Local Security Authority Subsystem Service (LSASS) is the Microsoft Windows process that handles all user authentication, password changes, access token creation, and security policy enforcement. It stores a variety of hashed passwords and, in some cases, plaintext user passwords. Because it contains valuable data such as encrypted passwords, NT hashes, LM hashes, and Kerberos tickets that can be used for privilege escalation, data theft, and lateral movement, LSASS is a lucrative target for adversaries.
Dumping via comsvcs.dll
The “comsvcs.dll” can be found in every Windows system and has an export called minidump that can be used to dump processes by their PID. This is also a very popular choice among malware authors. The command line should be written in the following way:
rundll32.exe comsvcs.dll MiniDump <lsass PID> <out path> full
It is a stealthy method to dump Lssas credentials as it uses legitimate DLL to perform the task
Apart from the manual method mentioned above, Lssasy is a python tool that has the capability to automate the process of dumping LSASS from the memory. By default, it uses the comsvcs.dll minidump function to dump the credentials from the memory. This method can only be used when the context has SeDebugPrivilege. This privilege is either in Powershell local admin context or the cmd.exe SYSTEM context. The command line for dumping credentials using Lssasy is,
lsassy [–hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target>
To detect the dumping of LSASS credentials through this technique, we can monitor for the execution of a process that seems to be rundll32.exe along with a command line containing the term MiniDump.
process == rundll32.exe
Another way to detect adversaries abusing LSASS is to understand what tools or processes routinely access LSASS Memory for legitimate reasons and then build detection logic for anything that deviates from that. The following is a generic example of a detection opportunity built around obviously suspicious cross-process events.
process == (‘powershell.exe’ || ‘taskmgr.exe’ || ‘rundll32.exe’ || ‘procdump.exe’ || ‘procexp.exe’ || [other native processes that don’t normally access LSASS])
Apart from these detection techniques, here are a few telemetries for monitoring:
- Process monitoring: Process monitoring can be helpful for monitoring the rundll32.exe process whenever it starts. EDR, Sysmon Event IDs 1 and 10, and Windows Event ID 4688 should collect relevant telemetry.
- Command monitoring: Command-line logging will capture the context of what is executed. EDR, Sysmon Event ID 1, and Windows Event ID 4688 should collect relevant telemetry.
- Module monitoring: This can help in monitoring loading of comsvcs.dll via rundll32.exe process. EDR and Sysmon Event ID 7 should collect relevant telemetry.
- File monitoring: File monitoring can help in monitoring the write operation for of the dump file C:\Windows\Temp\lsass.dmp.
Splunk query for detection
name: Dump LSASS via comsvcs DLL
author: Patrick Bareiss, Splunk
description: Detect the usage of comsvcs.dll for dumping the lsass process.
search: ‘| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll*
Processes.process=*MiniDump* by Processes.user Processes.process_name Processes.original_file_name
Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`’
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
known_false_positives: None identified.
– Credential Dumping
– Suspicious Rundll32 Activity
– HAFNIUM Group
– Living Off The Land
– CIS 3
– CIS 5
– CIS 16
– Stage:Credential Access
– Actions on Objectives
message: An instance of $parent_process_name$ spawning $process_name$ was identified
accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$.
– name: user
– name: dest
– name: parent_process_name
– Parent Process
– name: process_name
– Child Process
– Splunk Enterprise
– Splunk Enterprise Security
– Splunk Cloud
Sigma rule for detection and prevention
title: Lsass Memory Dump via Comsvcs DLL
description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)