WerFault.exeabnormal behavior detection from studying usual imported modules, process creation related APIs and normal parent-child process relationships. This approach can also be based on your own environment baselines like :
Original File Name. Also, try to use arguments as much as possible, this is not to stop attackers but to increase the cost of required skillset since tools are easily renamed but it is more complex and time consuming to recompile them to change their options.
comsvcs.dlldumping technique with SMB execution method. Later, we will demonstrate a stealthier approach with the same tool. However, upon execution, here are our first observations :
LOLBintechnique based on
StartServicefunction is called
UUID 367ABB81-9844-35F1-AD32-98F038001003and uses RPC endpoint "
\PIPE\svcctl". According to Microsoft documentation, the server MUST use RPC over SMB, ncacn_np or RPC over TCP, or ncacn_ip_tcp as the RPC protocol sequence to the RPC implementation. [See references bellow]
OpenSCManagerWfunction that establishes a connection to the service control manager on the specified computer and opens the specified service control manager database.
comsvcs.dllexports a function called
MiniDumpWwhich can be used by rundll32 to dump process memory.
comsvcs.dllaccepts three parameters but the first two are ignored and the third one contains three parts which are the target process ID, the dump file location and the option
MiniDumpfunction requires a target process ID. Process discovery technique is expected. In this case
tasklist.exeis used to get LSASS process ID.
MiniDumpfunction call can also be achieved by function reference number
rundll32.exeto request a handle to
EID 10will be generated with
comsvcs.dllin Call Trace field.
comsvcs.dllto evade hardcoded string-based command-line detections.
QueryServiceConfigto query the configuration of targeted service the attacker wants to change followed by
ChangeServiceConfigfunction to apply that change instead of
CreateService. For detection opportunities we can rely on EID 5145 but Zeek's
DCE-RPCevent log has high Event Decisiveness and Traceability since it provides the exact endpoint operation and not just the accessed RPC endpoint
]\ImagePath. So we can rely on EID 13 for this matter.
comsvcs.dllfile and rename it the attacker needs to reach it first. So an EID 5145 will be generated in this case with
Relative Target Namefield. This event is highly decisive since it is pretty rare to observe such behavior therefore it can be a detection analytic on its own.
Call Tracefield richness and the
source process GUIDthat can be used for correlation purposes (In my case Elastic Security uses this field to create process trees visualizations).
lsass.exealone is a rare behavior. However, you can increase the precision of your analytic by looking for
Call Traceor any another
dllfrom a location other than