Thursday, 7 February 2019

Threat Hunting #19 - Procdump or Taskmgr - memory dump

Dumping lsass.exe process memory using procmon.exe or taskmgr.exe (both are signed and trusted microsoft utilities) and then extracting secrets offline is a bit stealthier than running a rogue program.

Using Sysmon event 10 "Process A accessed Process B" and filtering by CallTrace, and TargetImage attribute data, we can detect both process memory dumping actions:




As can be seen above, both utilities call APIs exported by dbghelp.dll or dbgcore.dll to invoke memory dump write functions (i.e. MiniDumpWriteDump function).

Detection Logic:

Sysmon: EventID=10 and CallTrace contains "Dbghelp.dll" or "Dbgcore.dll" and TargetImage=="lsass.exe or any other sensitive process (i.e. Point of Sale related processes or alike)"

IBM Qradar AQL example:

select "SourceImage", "TargetImage" from events where eventid=10 and utf8(payload) imatches '(?i)((.*dbghelp.*)|(.*dbgcore.*))'  and TargetImage imatches '.*lsass.*'

References:

https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
https://docs.microsoft.com/en-us/windows/desktop/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump

No comments:

Post a Comment