HackTool - XORDump Execution

About the rule

Rule Type

Standard

Rule Description

XORDump is a memory dumping utility used to access credentials in the process memory of the Local Security Authority Subsystem Service (LSASS). It is leveraged by attackers to access LSASS credentials and move laterally across the network. This rule detects the execution of XORDump process and flags potential attempts of lateral movement and privilege escalation.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Execution → Defense Evasion → Credential Access → LSASS credential dumping

Impact

• Credential compromise
• Lateral movement
• Defense evasion

Rule Requirement

Prerequisites

• Windows Event Viewer

Logon to Group Policy Management Console with administrative privileges and enable auditing for process creation and termination events. For enhanced process tracking enable the inclusion of command line information in process creation events. Finally, create a new registry key "Microsoft-Windows-Security-Auditing/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

• Sysmon

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add process creation events to the configuration file to capture all process creations. Finally, create a registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

(((( PROCESSNAME ENDS_WITH ""\\xordump.exe"" ) ) OR (( COMMANDLINE CONTAINS ""-process lsass.exe"" ) OR ( COMMANDLINE CONTAINS ""-m comsvcs"" ) OR ( COMMANDLINE CONTAINS ""-m dbghelp"" ) OR ( COMMANDLINE CONTAINS ""-m dbgcore"" ) )))

This rule is triggered when the executed process is associated with the following suspicious elements:

• \\xordump.exe: Refers to the executable associated with the hacking tool XORDump.
• -process lsass.exe: Refers to the process associated with the Local Security Authority Subsystem Service (LSASS).
• -m comsvcs: A command line module related to memory dumping.
• -m dbghelp: A Windows library used to create mini dumps during debugging.
• -m dbgcore: A core debugging engine used by debugging tools.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Masquerading (T1036); Credential Access: OS Credential Dumping - LSASS Memory (T1003.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.AE-02: Potentially adverse events are analyzed to better understand associated activities.

When this rule is triggered, you're notified of the execution of HackTool - XORDump. This enables you to identify credential harvesting attempts targeting LSASS and flag suspicious processes associated with credential dumping and lateral movement.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

This rule might be triggered when administrators utilize the XORDump tool to troubleshoot or debug the LSASS memory.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Enable LSASS auditing: Continuously monitor system processes, detect process executions targeting the LSASS process memory, and limit dumping/debugging permissions to administrators only.

Mitigation