Approved

Live Response - Suspicious Process - Create a dump for offline analysis

  REVIEWED by Sophos 

Imagine the scenario - you see what looks to be a suspicious process on an endpoint, maybe you've used Live Query to list modules but you need to dig a little deeper. 

Well, how about the following workflow:

  1. Initiate a Live Response session to the endpoint.

  2. Confirm the process in question is running and obtain the PID of the process using tasklist for example:

    tasklist find "LooksOdd.exe"

    LooksOdd.exe           14052 Console                    1    122,312 K

  3. Given we now have the PID, you could run:

    mkdir C:\dumps

    To create a temporary location, followed by:

    Powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 14052 C:\dumps\LooksOdd-14052.dmp full

  4. This will create a full dump file of this process under C:\dumps\.  Of course, there are plenty of ways to initiate a dump, with tools such as Procdump from Microsoft/Sysinternals but sometimes it's nice to use something that's already available for speed even if not quite as fully functional.  If you need the added flexibility of this, the information in: https://community.sophos.com/products/intercept/early-access-program/f/feedback-and-issues/120204/live-response---making-use-of-sysinternals-tools should help.

Note: It's worth being a little careful as to what process you're dumping as it will suspend the process temporarily, plus depending on the modules loaded, the resultant dump file can be quite large - think working set.

The file could then be zipped up or maybe written directly to a filer location and analyzed at your local machine.  

Analysis might include using Windbg either classic found in say the SDK or the new WindDbg Preview available in the Microsoft Store.

If you wanted to consider the modules loaded in the exe at the time the dump was created, I would first recommend downloading the MEX Windbg extension from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=53304.  Then having unpacked the mex.dll (same bit-ness as the WinDbg version) to for example, C:\temp\mex.dll.  You can load this in Windbg using the command:

.load C:\temp\mex.dll

Mex has the command "writemodule" such that you can then run:

!mex.writemodule -a

This will dump all the loaded modules to disk, by default to %temp%\MexEmbeddedResources\GUID\

At this point, you should be mindful that these files could be malicious, but you now have some useful data to perhaps progress your investigation.

I hope it helps.

Jak

Parents Comment Children
No Data