WerFault.exe
abnormal behavior detection from studying usual imported modules, process creation related APIs and normal parent-child process relationships. This approach can also be based on your own environment baselines like :Original File Name
. Also, try to use arguments as much as possible, this is not to stop attackers but to increase the cost of required skillset since tools are easily renamed but it is more complex and time consuming to recompile them to change their options.comsvcs.dll
dumping technique with SMB execution method. Later, we will demonstrate a stealthier approach with the same tool. However, upon execution, here are our first observations :LOLBin
technique based onCOMSVCS.DLL
.StartService
function is called*comsvcs.dll*
cmd.exe
services.exe
MiniDump
, full
, rundll32.exe
, *comsvcs.dll
UUID 367ABB81-9844-35F1-AD32-98F038001003
and uses RPC endpoint "\PIPE\svcctl
". According to Microsoft documentation, the server MUST use RPC over SMB, ncacn_np or RPC over TCP, or ncacn_ip_tcp as the RPC protocol sequence to the RPC implementation. [See references bellow]OpenSCManagerW
function that establishes a connection to the service control manager on the specified computer and opens the specified service control manager database.CreateServiceW
functioncomsvcs.dll
exports a function called MiniDumpW
which can be used by rundll32 to dump process memory.comsvcs.dll
accepts three parameters but the first two are ignored and the third one contains three parts which are the target process ID, the dump file location and the option full
.MiniDump
function requires a target process ID. Process discovery technique is expected. In this case tasklist.exe
is used to get LSASS process ID.MiniDump
function call can also be achieved by function reference number #24
.rundll32.exe
to request a handle to LSASS
. An EID 10
will be generated with comsvcs.dll
in Call Trace field. svcctl
\*\IPC$
CreateServiceW
OR
CreateServiceA
svcctl
services.exe
HKLM\System\CurrentControlSet\Services\*
services.exe
HKLM\System\CurrentControlSet\Services\*\ImagePath
*comsvcs.dll*
*comsvcs.dll*
tasklist.exe
tasklist
, /fi
, Imagename eq lsass
rundll32.exe
MiniDump
OR #24
) AND full
AND *comsvcs.dll
*rundll32.exe
*lsass.exe
*comsvcs.dll*
*rundll32.exe
*lsass.exe
comsvcs.dll
to evade hardcoded string-based command-line detections.cmd.exe
or powershell.exe
.QueryServiceConfig
to query the configuration of targeted service the attacker wants to change followed by ChangeServiceConfig
function to apply that change instead of CreateService
. For detection opportunities we can rely on EID 5145 but Zeek's DCE-RPC
event log has high Event Decisiveness and Traceability since it provides the exact endpoint operation and not just the accessed RPC endpoint svcctl
.ImagePath
modification under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[
RANDOM
]\ImagePath
. So we can rely on EID 13 for this matter.comsvcs.dll
file and rename it the attacker needs to reach it first. So an EID 5145 will be generated in this case with comsvcs.dll
in Relative Target Name
field. This event is highly decisive since it is pretty rare to observe such behavior therefore it can be a detection analytic on its own.Call Trace
field richness and the source process GUID
that can be used for correlation purposes (In my case Elastic Security uses this field to create process trees visualizations). rundll32.exe
accessing lsass.exe
alone is a rare behavior. However, you can increase the precision of your analytic by looking for comsvcs.dll
in Call Trace
or any another dll
from a location other than C:\Windows\System32\
.Windows\System32\comsvcs.dll
\\*\C$
CreateService*
ORChangeServiceConfig*
svcctl
svcctl
\*\IPC$
services.exe
HKLM\System\CurrentControlSet\Services\*\ImagePath
*rundll32.exe
*lsass.exe