This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Dumping of LSASS was not detected

Anonymous
Not applicable

‎2021-06-29 03:04 AM

I was doing some testing from the Red Canary Threat Report and executed the following command from an elevated PowerShell prompt

T1003.001: LSASS Memory
-------
rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id) C:\windows\temp\lsass.dmp full

 

Nothing was detected in NetWitness. I'm running 11.5.0.1 NWE Advanced agent, have the Endpoint rule bundle deployed and even tried on multiple machines.

 

Any thoughts as to why this isn't being detected as a BOC?

0 Likes
6 REPLIES 6

YounisKhan
Occasional Contributor
Occasional Contributor

‎2021-06-29 08:29 AM - edited ‎2021-06-29 08:30 AM

is there no alert at all even in concentrator ? or only on the host level ?

0 Likes

Anonymous
Not applicable

‎2021-06-29 10:12 AM

There is no alert at all for the command I was running.

There are alerts for other activities, for example i ran 'unblock-file' onto a directory and NWE raised alerts.

But for this rundll32.exe command there is nothing in either concentrator or host level.

0 Likes

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2021-06-29 01:58 PM

I suspect its because we're looking for lsass.exe.

Can you share a dump of all of the meta from the session?


Mr. Mongo
0 Likes

Anonymous
Not applicable
In response to JoshRandall

‎2021-06-29 08:53 PM

I can’t share all the meta, but might be able to provide a redacted snippet, any suggestion what meta to include?

that being said, I have looked through all the meta during the time period I ran the command. I couldn’t find anything in the investigate module that would suggest it monitored this activity

when you say that you suspect it’s because you’re expected lsass.exe do you mean the exe itself being executed? 
I would’ve thought the use of rundll32 would trigger because there is other meta that reference rundll32

0 Likes

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor
In response to Anonymous

‎2021-06-30 01:22 PM - edited ‎2021-06-30 01:34 PM

edit: I should note that my lab is running 11.6, so there's a chance that improvements to the agent allow better visibility into this activity compared to 11.5.0.1 agents

I went and ran the same command in my lab, and although we do collect/track the activity with the advanced agent we are not raising any indicators or alerts to flag on it.

device.type = 'nwendpoint' AND filename.all = 'powershell.exe','rundll32.exe' AND category = 'Process Event'

JoshRandall_0-1625073500962.png

 

 

 

 

There are a couple app rules that are close....but not close enough. I'll take this up with our PM and content teams.


Mr. Mongo
0 Likes

Anonymous
Not applicable
In response to JoshRandall

‎2021-07-01 01:52 AM

Ahh, awesome. Thanks for that query. I was able to find it as well in my logs.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.