Post-Image

The curious case of Realtek and LSASS

Introduction

I was working on building some new hunts in Microsoft Defender ATP (MDATP). After spending a whole day writing KQL, I was almost done with it. I spent the day building new hunts to detect malicious code executions and wanted to fine-tune the last rule of the day to get rid of the false positives as much as possible. This rule was meant to detect malicious DLL injections (will publish the rule once it’s ready to share). I was going through the ‘*ApiCall’ actions in ‘DeviceEvents’ when I noticed that RtkAuduservice64.exe was calling ‘OpenProcess’ and ‘ReadProcessMemory’ on lsass.exe. To top it off, it’s doing OpenProcess with ‘PROCESS_ALL_ACCESS’. A quick Google revealed that this process is the “Realtek HD Audio Universal Service” and this is confirmed by the description in the file and the signature on the binary.

Wait…why is a sound driver service thingy reading LSASS 135 times in 7 days??

TL;DR for general readers: RtkAuduservice64.exe might trigger your AV or EDR because of some weird quirks in the implementation of this process. It’s most likely a false positive. Don’t freak out immediately.

TL;DR for blue teams: RtkAuduservice64.exe is reading lsass.exe memory “by accident”. This makes it the ideal hiding spot for an attacker to dump creds from memory and blend in. 😱

TL;DR for red teams: RtkAuduservice64.exe is reading lsass.exe memory “by accident”. Inject yourself into this process, dump memory and you won’t stand out for reading lsass memory. 😈

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff