Suspicious Renamed Comsvcs DLL Loaded By Rundll32

calendar Aug 12, 2024 · attack.credential-access attack.defense-evasion attack.t1003.001  ·
Share on: linkedin copy

Detects rundll32 loading a renamed comsvcs.dll to dump process memory

Sigma rule (View on GitHub)

 1title: Suspicious Renamed Comsvcs DLL Loaded By Rundll32
 2id: 8cde342c-ba48-4b74-b615-172c330f2e93
 3status: test
 4description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
 5references:
 6    - https://twitter.com/sbousseaden/status/1555200155351228419
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-08-14
 9modified: 2023-02-17
10tags:
11    - attack.credential-access
12    - attack.defense-evasion
13    - attack.t1003.001
14logsource:
15    product: windows
16    category: image_load
17detection:
18    selection:
19        Image|endswith: '\rundll32.exe'
20        Hashes|contains:
21            # Add more hashes for other windows versions
22            - IMPHASH=eed93054cb555f3de70eaa9787f32ebb # Windows 11 21H2 x64
23            - IMPHASH=5e0dbdec1fce52daae251a110b4f309d # Windows 10 1607
24            - IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 # Windows 10 1809
25            - IMPHASH=407ca0f7b523319d758a40d7c0193699 # Windows 10 2004 x64
26            - IMPHASH=281d618f4e6271e527e6386ea6f748de # Windows 10 2004 x86
27    filter:
28        ImageLoaded|endswith: '\comsvcs.dll'
29    condition: selection and not filter
30falsepositives:
31    - Unlikely
32level: high

References

Related rules

to-top