Suspicious Renamed Comsvcs DLL Loaded By Rundll32

Apr 28, 2026 · attack.credential-access attack.t1003.001 ·

Detects rundll32 loading a renamed comsvcs.dll to dump process memory

Sigma rule (View on GitHub)

 1title: Suspicious Renamed Comsvcs DLL Loaded By Rundll32
 2id: 8cde342c-ba48-4b74-b615-172c330f2e93
 3status: test
 4description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
 5references:
 6    - https://twitter.com/sbousseaden/status/1555200155351228419
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-08-14
 9modified: 2023-02-17
10tags:
11    - attack.credential-access
12    - attack.t1003.001
13logsource:
14    product: windows
15    category: image_load
16detection:
17    selection:
18        Image|endswith: '\rundll32.exe'
19        Hashes|contains:
20            # Add more hashes for other windows versions
21            - IMPHASH=eed93054cb555f3de70eaa9787f32ebb # Windows 11 21H2 x64
22            - IMPHASH=5e0dbdec1fce52daae251a110b4f309d # Windows 10 1607
23            - IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 # Windows 10 1809
24            - IMPHASH=407ca0f7b523319d758a40d7c0193699 # Windows 10 2004 x64
25            - IMPHASH=281d618f4e6271e527e6386ea6f748de # Windows 10 2004 x86
26    filter:
27        ImageLoaded|endswith: '\comsvcs.dll'
28    condition: selection and not filter
29falsepositives:
30    - Unlikely
31level: high

References

https://twitter.com/sbousseaden/status/1555200155351228419

Read More

Suspicious Renamed Comsvcs DLL Loaded By Rundll32

Sigma rule (View on GitHub)

References

https://twitter.com/sbousseaden/status/1555200155351228419

Related rules