itman 1,659 Posted May 28, 2019 Share Posted May 28, 2019 Here's a good reference on Win system process activity: https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 Wininit.exe creates services.exe and in turn creates lsass.exe and lsm.exe running as child processes to it. Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 28, 2019 Share Posted May 28, 2019 (edited) Quote C:\Windows\System32\svchost.exe;Get access to another application;C:\Windows\System32\lsass.exe;blocked;Self-Defense: Do not allow modification of system processes;Terminate/suspend another application I think this one needs a detailed investigation. Why? Quote Cobalt Strike: Built-in Mimikatz credential dump capability executed A Specific Behavior alert was generated for svchost.exe loading Mimikatz and accessing lsass (an audited system resource). The alert was also tagged with the correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection). Cobalt Strike: Built-in hash dump capability executed Telemetry showed svchost.exe injecting into lsass.exe. The telemetry was tainted by the parent “injected (svchost.exe > lsass.exe)” alert. The hashdumpx64.dll was also seen loaded as a floating executable code. https://attackevals.mitre.org/evaluations/cybereason.1.apt3.1/procedures/credentialdumping Edited May 28, 2019 by itman Link to comment Share on other sites More sharing options...
Recommended Posts