LSASS Dump Via Comsvcsdll
Query
//Combined Queries from this Article https://www.securityinbits.com/detection-engineering/lsass-dump-comsvcs-rundll32/
// Props to Ayush Anand
let ObfusOrdCall = DeviceProcessEvents
| where (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") and (ProcessCommandLine contains "#+" or ProcessCommandLine contains "#-" or ProcessCommandLine contains "#0" or ProcessCommandLine contains "#655" or ProcessCommandLine contains "#656");
let MemDumpComsvcsDLL = DeviceProcessEvents
| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") and ((ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full") and (ProcessCommandLine contains "#-" or ProcessCommandLine contains "#+" or ProcessCommandLine contains "#24" or ProcessCommandLine contains "24 " or ProcessCommandLine contains "MiniDump" or ProcessCommandLine contains "#65560"))) or ((ProcessCommandLine contains "24" and ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full") and (ProcessCommandLine contains " #" or ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #" or ProcessCommandLine contains "\"#"));
ObfusOrdCall
| union MemDumpComsvcsDLLAbout this query
Explanation
This query is designed to detect potentially malicious activities related to credential dumping on a Windows system. Here's a simplified explanation:
-
Purpose: The query aims to identify suspicious uses of the
rundll32.exeprocess, which is a legitimate Windows utility that can be exploited by attackers to execute malicious code. -
Techniques Detected:
- System Binary Proxy Execution (T1218.011): This involves using legitimate system binaries, like
rundll32.exe, to execute malicious code. - OS Credential Dumping (T1003): This is a technique used by attackers to extract credentials from the operating system, often targeting the LSASS (Local Security Authority Subsystem Service) process.
- Defense Evasion (TA0005) and Credential Access (TA0006): These are broader tactics that include avoiding detection and gaining access to credentials, respectively.
- System Binary Proxy Execution (T1218.011): This involves using legitimate system binaries, like
-
Detection Method:
- The query looks for
rundll32.exebeing executed with certain patterns in its command line arguments. These patterns include obfuscated ordinal numbers (e.g.,#+,#-,#0,#655,#656) that can indicate an attempt to hide malicious activity. - It also checks for
rundll32.exetrying to perform a memory dump of thecomsvcsprocess, which is a known method for extracting credentials from LSASS.
- The query looks for
-
Risk: This activity is particularly concerning if Credential Guard, a security feature that helps protect credentials, is not active on the system.
-
Author and References: The query was created by Benjamin Zulliger, and it builds on work by Ayush Anand, as detailed on the Security in Bits website.
In summary, this query helps security analysts detect potential credential dumping attempts using rundll32.exe in a way that tries to evade detection by using obfuscation techniques.
