By: Shaul Saitowitz, Senior Data Scientist

Welcome to the Unraveling Cyber Defense Model Secrets series, where we shine a light on Adlumin’s Data Science team, explore the team’s latest detections, and learn how to navigate the cyberattack landscape.

The Growing Risks of Credential Harvesting

Credential harvesting is a technique cybercriminals use to gain access to networks and sensitive data by stealing login credentials. Phishing emails, fake login pages, and other methods make it easy for attackers to trick users into sharing this information. Once obtained, these credentials allow them to move through systems unnoticed.

With more logins to manage than ever, it’s easy to see why people reuse passwords or turn to tools like single sign-on (SSO). However, this can create a single point of vulnerability—if one password is compromised, it could grant access to multiple systems.

Multi-Factor Authentication (MFA) offers an additional layer of protection, but it’s still underutilized. In fact, 54% of small to medium-sized businesses have yet to implement MFA, despite it being a simple way to enhance security.

Even with strong cyber hygiene, credentials remain prime targets for threat actors. As cybercriminals evolve alongside new technologies, even the most secure organizations can be vulnerable to unforeseen threats. Without a unified, organization-wide approach to security, the risk of unauthorized access increases, putting sensitive data and critical systems at risk.

Fortunately, Adlumin’s advanced detection system leverages data science to stay ahead of these threats. By analyzing a wide range of attack techniques, our platform identifies and mitigates credential-based attacks, providing comprehensive protection for our customers.

Addressing Loopholes: The comsvcs, rundll32, and lsass Combination

One notable challenge in detecting credential harvesting attacks is when attackers use a combination of tools and processes native to Windows that can evade simpler detection mechanisms. For example:

• comsvcs.dll: This is a legitimate dynamic link library (DLL) used by the Microsoft COM+ Service Control Manager. However, it can be abused to load malicious code and interact with system processes.
• rundll32.exe: This legitimate Windows utility is used to run DLLs and place their libraries into memory. Attackers can use it to run malicious DLLs in a way that appears to be normal system activity.
• lsass.exe (Local Security Authority Subsystem Service): This process is responsible for enforcing security policies and managing password changes and logins. It stores sensitive information such as user credentials.

Attackers use a variety of techniques to perform credential dumping, often by exploiting system files and memory. One method involves loading malicious DLLs through tools like rundll32.exe, which allows attackers to execute arbitrary code, including targeting the comsvcs.dll file. Once executed, this malicious code can focus on dumping the memory of lsass.exe, extracting credentials such as plaintext passwords, hashes, and other sensitive information.

A more sophisticated approach involves accessing functions in a DLL by their position in a list, rather than by name, to bypass basic security systems. For instance, instead of calling the MiniDump function in comsvcs.dll by name, attackers can reference it as the 24th function on the list, making it harder for security tools that rely on function names to detect the activity.

Multi-Layered Detection Strategy

By applying data science to threat detections, the Adlumin platform can spot and flag any suspicious attempts to use these tools together. Our threat defense coverage extends to multiple harvesting tools and techniques, usefully categorized under the following labels:

1. Blacklists: Known malicious tools and techniques are blocked using predefined blacklists. These lists are regularly updated to include the latest threats, ensuring the platform can quickly identify any attempts to use these tools within the network.
2. Complex Logic: More nuanced attack patterns are detected using conditional checks. These checks look for specific conditions in the data, capturing sophisticated attacks that use variations of known techniques or combine multiple methods to evade detection.

Continuous Updates for Evolving Threats

In the cat and mouse game of cybersecurity, attackers are constantly devising new techniques. To understanding and mitigate these evolving threats, Adlumin is constantly updating detection logic in its platform. This involves incorporating feedback from real-world incidents as well as proactively gathering threat intelligence from our security analysts working across thousands of clients’ environments every day.

Understanding and mitigating such advanced techniques is crucial for enhancing defensive strategies against sophisticated cyber threats. Adlumin’s platform empowers organizations to defend against these types of credential harvesting attacks by closing security gaps and eliminating vulnerabilities. With advanced threat detection and real-time monitoring powered by data science, Adlumin ensures that organizations stay one step ahead of evolving cyber threats, safeguarding their credentials and critical systems.

See how our platform helps your team find and address threats by arranging a demo or trying out our platform for free.