Rattibha

Stephan Berger

8 Tweets 23 reads Nov 06, 2022

1/ "They tried to stay stealthy and used the sysinternal's procdump tool, renamed in error.log to bypass Windows Defender detection and dump lsass process memory" [1]
A similar trick was presented by @mrd0x in November 2021. [2]
🧵 #CyberSecurity

2/ This technique does not work as of today (well, yesterday) and generates a Defender AV alert on my test machine.
Pay attention to the detection name, which is "HackTool" in the screenshot below.

3/ I can't stress enough how awesome @cyb3rops' AV cheat sheet is, which lists the Highly Relevant AV Keywords, with "HackTool" at the top (newest version here [3]).
As a system admin or SOC analyst, when seeing these keywords in an alert, the alert should be prioritized. 🚒🧯

4/ Defender AV also prevents dumping LSASS via the Task Scheduler with a Behaviour alert.
In both alerts, the keyword "DumpLsass" occurs.
Please note that an administrator (let alone a regular user) has no reason to dump the LSASS process. ☝️

5/ Both alerts are almost exclusively signs of a TA on the network (or are there edge cases that I am unaware of?) and need to be analyzed quickly.
But you could turn off Defender with admin privileges, right?

6/ Of course.
But attackers also make mistakes, sometimes quite a lot.
It's very well possible that a TA first forgot to deactivate Defender before he tries to dump LSASS, which leads to a corresponding alert outlined above.

7/ Even if Defender is deactivated afterward because the TA noticed his mistake, we, as Defender, hopefully, noticed his presence in the network now.
For me, AV Logs are an excellent early warning system that is often not monitored well enough.

8/ References:
[1] intrinsec.com
[2]
[3] nextron-systems.com