Process Dump Support in Comae Stardust



We now support minidumps!

We just rolled out a new feature in Comae Stardust to enable support for process memory dumps (aka minidumps). This means that in addition to full system memory dumps generated by DumpIt, we also now support minidumps.

image

Process View from Comae Stardust — 1

image

Detailed memory tab of a minidump process from Comae Stardust.

Last month, Microsoft ATP acknowledged memory-based attacks as a real threat by rolling out limited support for memory forensics by allowing their customers to dump the memory of a suspicious process through their endpoint.

Traditionally, memory forensics always implied a full system acquisition in order to also be able to search for kernel-land threats and not only user-land threats.

Obviously, process memory acquisition isn’t a new feature and has been present for a long time in Process Explorer and even in Windows Task Manager itself.

We also discussed last year enabling memory acquisition and analysis as part of an orchestration scenario based on alerts returned by a given endpoint in “Rethinking logging for critical assets” blog post. Always glad to see that Microsoft listens to the community and to see those ideas implemented in production at scale!

Microsoft isn’t the only vendor to take memory-based attacks seriously. Intel also announced earlier this year a hardware-based feature called Accelerated Memory Scanning as part of their Threat Detection Technology suite, as described in this official Intel’s video.

Standlone

Process dump analysis can be useful in several scenarios including security assessment and troubleshooting. As I said above, you can generate a process memory dump with no endpoint dependency, using standalone utilities such as TaskManager, Sysinternals Process Explorer and ProcDump. Those are great in incident response scenarios and when you need to troubleshoot a particular issues like most of the users of our utility suite.

If you need a specific process from a virtual machine or physical machine that you manage, you can simply use the task manager as this feature is natively supported by TaskMgr since Windows Vista.

image

Create a process dump natively via TaskMgr.

Serverless

Also, there is an additional scenario which is becoming increasingly interesting for the cloud: Azure App Services. Azure provides a feature called “_Process Explorer_” as part of the SCM/KUDU Console for Azure App Services which automatically generates process memory dumps on demand.

This can be accessible directly from https://.scm.azurewebsites.net/ProcessExplorer

image

Generate a Full Process Dump from a KUDU Console in Azure Service App.

If you are an Azure customer who frequently has to investigate Azure App Services process dumps do not hesitate to reach out to azure@comae.com — we would love to hear more about the troubleshooting scenarios you frequently face to help you automate them.