Threat Hunting Credential Dumping

Posted on: Last updated on: Written by:

Investigating Suspicious Credential Dumping Activity: A Realistic Threat Hunting Case Study

Why This Activity Stood Out

During a routine scan of our security telemetry, something caught my eye. We were tracking a series of concerning events indicative of potential credential dumping. The activity stood out due to the use of rundll32.exe with encoded PowerShell commands and an attempt at making an outbound connection to what appeared to be an uncommon domain. These behaviors align closely with T1003 from the MITRE ATT&CK framework, which deals with the collection of credentials.

Initial Hunt Logic

Available Telemetry

  • LSASS Access: This is a common endpoint telemetry that can help us detect credential dumping activities.
  • Sysmon Event ID 10: These events are generated when LSASS processes are accessed, indicating an attempt to extract credentials.
  • Security Logs: The security event logs provide additional context and might contain failed login attempts or other anomalies.

Threat Actor Reference

Given the nature of the activity, we suspected a connection with Wizard Spider. This group is known for its sophisticated credential dumping techniques, often using encoded commands and lateral movement through uncommon domains to gain deeper access into networks.

Reviewing Process Lineage

To understand the context better, I started by reviewing the process lineage and command-line arguments used in conjunction with rundll32.exe.

KQL Query Results

I ran a basic query to see what processes were initiated by rundll32.exe:

DeviceProcessEvents
| where FileName =~ "rundll32.exe"
| project Timestamp, DeviceName, InitiatingProcessCommandLine

This returned a list of processes and their command-line arguments. One particular entry stood out due to the presence of encoded PowerShell commands.

Example Command-Line Argument

-rundll32.exe urlmon.dll,FileProtocolHandler -c -f "EncodedCommand"

The -enc flag was suspicious as it suggested that a base64-encoded command string was being passed to rundll32.exe. This is often used by threat actors to obfuscate their commands.

Expanding the Investigation

Sysmon Event ID 10

Next, I dug into Sysmon events with event IDs of 10, which are generated when an LSASS process is accessed:

Sysmon 
| where EventID == 10

This returned several events that indicated potential credential dumping activity on the system.

Security Log Review

I also reviewed security logs for any anomalies, such as unusual login attempts or failed access requests.

Detection Opportunities

Sigma Rule: Suspicious Encoded PowerShell

Based on our findings, we developed a Sigma rule to detect encoded PowerShell commands being executed via rundll32.exe:

title: Suspicious Encoded PowerShell

logsource:
  category: process_creation

detection:
  selection:
    CommandLine|contains:
      - '-enc'
      - 'EncodedCommand'

condition: selection

level: high

This rule helps us identify instances where rundll32.exe is being used with encoded commands, which could indicate an attacker’s presence.

KQL Hunting Reference

To further refine our hunt, I used the following query:

DeviceProcessEvents
| where FileName =~ "rundll32.exe"
| project CommandLine

I filtered the results for any command lines containing EncodedCommand or similar patterns.

Analyst Notes

Process Lineage Analysis

Analyzing the process lineage, I noticed that the rundll32.exe execution was initiated by what seemed like a legitimate application. However, the inclusion of an encoded PowerShell command raised red flags. We needed to verify if this command was part of a benign operation or indicative of malicious activity.

Why Activity Looks Suspicious

The use of rundll32.exe with an encoded PowerShell command is suspicious because:

  • rundll32.exe is commonly used by attackers for obfuscation and lateral movement.
  • The presence of -enc in the command-line arguments suggests that a base64-encoded string was passed, which could contain malicious code.

False Positive Scenarios

We considered scenarios where false positives might occur:

  • Legitimate use of rundll32.exe with encoded PowerShell commands for legitimate purposes.
  • Automated scripts or tools that generate such command lines as part of their normal operations.

To mitigate false positives, we would need to establish a baseline of normal behavior and set thresholds for suspicious activity.

Telemetry Gaps

LSASS Access

While LSASS access events are valuable, they do not provide complete context. For instance:

  • They might not capture the entire command-line arguments used by rundll32.exe.
  • The absence of detailed process lineage can make it challenging to trace the origin and purpose of such commands.

Outbound Connections

The initial hypothesis was that there would be an outbound connection to a rare domain. However, this did not materialize in our investigation. This could indicate that the attacker has changed their tactics or is operating within a different network segment.

Operational Challenges

Identifying Malicious Command Lines

Identifying malicious command lines from rundll32.exe executions can be challenging due to the obfuscation techniques used by attackers. We rely on heuristics and context-based analysis to distinguish between benign and malicious operations.

False Negatives

We must ensure that our detection mechanisms are robust enough to catch all instances of credential dumping, even if they employ advanced evasion techniques.

Practical Hunting Methodology

  1. Initial Hypothesis: The presence of rundll32.exe with encoded PowerShell commands.
  2. Telemetry Collection: Gathering LSASS access events, Sysmon logs, and security event logs.
  3. Process Lineage Analysis: Examining the command-line arguments to determine their purpose.
  4. Sigma Rule Implementation: Developing a rule to detect such activity in the future.
  5. Security Log Review: Monitoring for any unusual login attempts or failed access requests.

Telemetry Improvement Ideas

Enhanced Logging

  • Enable detailed logging for rundll32.exe executions, including full command-line arguments.
  • Configure Sysmon to capture more granular details about process creation events.

Behavioral Analytics

  • Implement behavioral analytics to detect deviations from baseline behavior patterns.
  • Use machine learning models to identify anomalies in credential handling activities.

Hashtags Relevant to the Hunt Topic

ThreatHunting #CredentialDumping #WizardSpider #Sysmon #LSASSAccess #rundll32Exe #PowerShellObfuscation #DetectionEngineering #SecurityMonitoring #NetworkIntrusion #AdvancedThreatHunting #T1003 #MITREATT&CK

This investigation underscores the importance of a multi-faceted approach to threat hunting, leveraging multiple telemetry sources and employing both static and dynamic analysis techniques. By continuously refining our detection mechanisms and improving our understanding of threat actors’ tactics, we can better protect our networks from sophisticated cyber threats.

#ThreatHunting
#CyberSecurity
#DetectionEngineering
#SOC
#ThreatDetection
#BlueTeam
#DFIR
#MITREATTACK
#ThreatResearch