Credential Theft Using Procdump or Comsvcs

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

Attackers may attempt to gain access to the credentials stored in the process memory of Local Security Authority Subsystem Service (LSASS) to perform lateral movement. Various tools may be used to dump credentials, such as Procdump, Comsvcs and more.

Procdump and Comsvcs are legitimate Sysinternals tool which is used to generate process dumps for troubleshooting, but it can be used by adversaries for malicious purpose such as to capture credential material.

Impact:

This can affect the organizations in the following ways:

• Compromise of privileged accounts
• Unauthorized access to data, applications
• Lateral movement

Data source:

Windows:

Required configuration: The rule is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0006- Credential Access

Techniques: T1003- OS Credential Dumping

Sub-techniques: T1003.001- LSASS Memory

Criteria:

( ( Command Line contains "procdump" ) OR ( Command Line contains "comsvcs.dll" ) ) AND ( ( Command Line contains ".dmp" ) )

Adversaries use Procdump to create a memory dump of LSASS processes that load comsvcs.dll and saves it to the file "lsass.dmp''. This can provide key data from the LSASS process for credential extraction. The -ma argument in Procdump instructs it to create this full memory dump.

The dump file created is saved with a ".dmp" extension.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle

When this rule is triggered, you're notified of a potential credential theft using procdump or comsvcs. This enables you to review the access and permissions, and take corrective measures, such as setting policies for regular monitoring of the use of the Procdump tool for unauthorized access.

Known false positives: Some password protection tools and antivirus solutions scan the LSASS to confirm the user credentials.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify the alert as a new incident or within an ongoing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Implement Principle of Least Privilege: Regularly review and ensure that privileged accounts have the required minimum level of permissions.