Potential Credential Access via Renamed COM+ Services DLL

  1[metadata]
  2creation_date = "2021/10/17"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/04/27"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a
 11process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in
 12preparation for credential access.
 13"""
 14from = "now-9m"
 15index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential Credential Access via Renamed COM+ Services DLL"
 19references = ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"]
 20risk_score = 73
 21rule_id = "c5c9f591-d111-4cf8-baec-c26a39bc31ef"
 22severity = "high"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Credential Access",
 28    "Tactic: Defense Evasion",
 29    "Data Source: Sysmon",
 30    "Resources: Investigation Guide",
 31]
 32type = "eql"
 33
 34query = '''
 35sequence by process.entity_id with maxspan=1m
 36 [process where host.os.type == "windows" and event.type == "start" and process.name : "rundll32.exe"]
 37 [process where host.os.type == "windows" and event.code == "7" and
 38   (file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash : "EADBCCBB324829ACB5F2BBE87E5549A8") and
 39   /* renamed COMSVCS */
 40   not file.name : "COMSVCS.DLL"]
 41'''
 42
 43note = """## Triage and analysis
 44
 45### Investigating Potential Credential Access via Renamed COM+ Services DLL
 46
 47#### Possible investigation steps
 48
 49- What did the sequence source events prove about the loader and renamed COMSVCS image?
 50  - Why: Timeline source events are required for grouped meaning; renamed COMSVCS can bypass command-line-only checks, so image-load PE identity matters.
 51  - Focus: recover source events, confirm shared `process.entity_id`, and review the rundll32.exe start plus image-load `file.path`, `file.name`, `file.pe.original_file_name`, and `file.pe.imphash`.
 52  - Implication: escalate when the same rundll32.exe instance loaded a renamed image whose original name or imphash maps to COMSVCS; lower suspicion only when source events and renamed path fit an authorized lab or debugging reproduction on the same `host.id` and `user.id`.
 53
 54- Does the rundll32 command line and launch context show MiniDump intent?
 55  - Focus: recovered process-start `process.command_line`, `process.parent.executable`, `process.parent.command_line`, and `user.id`.
 56  - Implication: escalate when the command line invokes MiniDump or MiniDumpW with target PID, dump path, and full, or the parent is an unexpected script, shell, archive, or remote tool; lower suspicion only when parent, user, and host match the authorized test context.
 57
 58- Was the renamed COMSVCS DLL staged or renamed immediately before rundll32 loaded it?
 59  - Focus: loaded `file.path`, endpoint file telemetry on `host.id` and recovered `process.entity_id`, plus `process.executable`, `file.Ext.original.path`, and `file.Ext.original.name`. $investigate_0
 60  - Hint: missing file-create or rename telemetry leaves provenance unresolved, not benign; bound findings to observed timing and lineage.
 61  - Implication: escalate when a different suspicious process copied or renamed COMSVCS into a user-writable, temporary, or deceptive path shortly before the load; lower suspicion only when a lab or debugging tool created the same controlled artifact in an expected test path.
 62
 63- Did the same process produce dump artifacts or credential-staging evidence?
 64  - Focus: child-process events where `process.parent.entity_id` matches the alerting `process.entity_id`, child `process.command_line`, and endpoint file telemetry when available for `file.path`, `file.extension`, and `file.size` dump, archive, or staging output. $investigate_1
 65  - Implication: escalate when the process or descendants write dump-like files, archives, or credential-access artifacts after MiniDump parameters; keep unresolved when telemetry is missing, and lower suspicion only when output stays confined to the authorized test target and path.
 66
 67- If local evidence is suspicious or incomplete, do related alerts expand the scope?
 68  - Focus: recent alerts for `user.id`. $investigate_2
 69  - Hint: compare with recent alerts for `host.id` to distinguish user-linked activity from host-local spread. $investigate_3
 70  - Implication: expand response scope when the same user or host has related dumping, defense-evasion, or intrusion alerts; keep scope local only when related alerts are absent and the recovered loader evidence is fully resolved.
 71
 72- Escalate when source-event identity, MiniDump intent, parent lineage, provenance, artifacts, or related alerts support abuse; close only when recovered source events, available file evidence, and outside confirmation bind one exact authorized lab or debugging workflow; preserve and escalate when evidence is mixed or incomplete.
 73
 74### False positive analysis
 75
 76- Renaming COMSVCS for rundll32.exe loading is an operational anti-pattern. Close as benign only for authorized malware research, internal detonation, or debugging reproduction where source events, launcher parent, `user.id`, `host.id`, recovered renamed-DLL identity, and any dump output all align with the same test case. Without lab records, recurrence of the same loader chain, controlled artifact identity, host or user scope, and bounded follow-on pattern can support a candidate exception, but not closure. Do not close if any anchor diverges.
 77- Build exceptions only from the minimum confirmed workflow: parent process, controlled renamed-DLL artifact identity, `host.id`, `user.id`, and bounded output path. Avoid exceptions on rundll32.exe, COMSVCS identity, or the imphash alone because those values also describe the abuse technique.
 78
 79### Response and remediation
 80
 81- If confirmed benign, reverse any temporary containment and document the parent process, controlled renamed-DLL artifact identity, output path, `host.id`, and `user.id` that proved the authorized test. Keep exceptions narrow and require recurrence of the same workflow.
 82- If suspicious but unconfirmed, preserve the Timeline source events, recovered process identifiers, command line, parent context, renamed-DLL artifact details, staging evidence, and any dump or archive artifacts before containment. Apply reversible containment such as host isolation with criticality review or heightened monitoring on the affected `host.id`; avoid process termination or file deletion until evidence is preserved.
 83- If confirmed malicious, isolate the affected `host.id` after preserving source events, process context, renamed DLL, dump artifacts, and related-alert evidence. If direct response is unavailable, escalate with the preserved evidence set to the team that can act.
 84- Eradicate only the renamed DLL, dump files, archives, and staged artifacts identified during the investigation, then search the same host and related-alert scope for additional credential-dumping components. Reset or rotate credentials when dump artifacts, LSASS targeting, or privileged-host context indicate likely exposure.
 85- Post-incident hardening: restrict COMSVCS dump testing to controlled lab hosts, retain Sysmon image-load and file-create telemetry where it limited the case, and document the confirmed workflow or malicious artifact set for future triage.
 86"""
 87
 88setup = """## Setup
 89
 90This rule requires Sysmon telemetry to be enabled and ingested.
 91
 92Setup instructions: https://ela.st/sysmon-event-7-setup
 93"""
 94
 95[rule.investigation_fields]
 96field_names = [
 97    "@timestamp",
 98    "host.name",
 99    "host.id",
100    "user.name",
101    "user.id",
102    "process.entity_id",
103    "process.pid",
104    "process.executable",
105    "process.command_line",
106    "process.parent.executable",
107    "process.parent.command_line",
108    "file.path",
109    "file.name",
110    "file.pe.original_file_name",
111    "file.pe.imphash",
112]
113
114[transform]
115
116[[transform.investigate]]
117label = "File activity for the alerting process and children"
118description = ""
119providers = [
120  [
121    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
122    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
123    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
124  ],
125  [
126    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
127    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
128    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
129  ]
130]
131relativeFrom = "now-1h"
132relativeTo = "now"
133
134[[transform.investigate]]
135label = "Child processes of the alerting process"
136description = ""
137providers = [
138  [
139    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
140    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
141    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
142  ]
143]
144relativeFrom = "now-1h"
145relativeTo = "now"
146
147[[transform.investigate]]
148label = "Alerts associated with the user"
149description = ""
150providers = [
151  [
152    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
153    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
154  ]
155]
156relativeFrom = "now-48h/h"
157relativeTo = "now"
158
159[[transform.investigate]]
160label = "Alerts associated with the host"
161description = ""
162providers = [
163  [
164    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
165    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
166  ]
167]
168relativeFrom = "now-48h/h"
169relativeTo = "now"
170
171[[rule.threat]]
172framework = "MITRE ATT&CK"
173
174[[rule.threat.technique]]
175id = "T1003"
176name = "OS Credential Dumping"
177reference = "https://attack.mitre.org/techniques/T1003/"
178
179[[rule.threat.technique.subtechnique]]
180id = "T1003.001"
181name = "LSASS Memory"
182reference = "https://attack.mitre.org/techniques/T1003/001/"
183
184[rule.threat.tactic]
185id = "TA0006"
186name = "Credential Access"
187reference = "https://attack.mitre.org/tactics/TA0006/"
188
189[[rule.threat]]
190framework = "MITRE ATT&CK"
191
192[[rule.threat.technique]]
193id = "T1036"
194name = "Masquerading"
195reference = "https://attack.mitre.org/techniques/T1036/"
196
197[[rule.threat.technique.subtechnique]]
198id = "T1036.003"
199name = "Rename Legitimate Utilities"
200reference = "https://attack.mitre.org/techniques/T1036/003/"
201
202[[rule.threat.technique]]
203id = "T1218"
204name = "System Binary Proxy Execution"
205reference = "https://attack.mitre.org/techniques/T1218/"
206
207[[rule.threat.technique.subtechnique]]
208id = "T1218.011"
209name = "Rundll32"
210reference = "https://attack.mitre.org/techniques/T1218/011/"
211
212[rule.threat.tactic]
213id = "TA0005"
214name = "Defense Evasion"
215reference = "https://attack.mitre.org/tactics/TA0005/"