Process Memory Dump Via Comsvcs.DLL

 1title: Process Memory Dump Via Comsvcs.DLL
 2id: 646ea171-dded-4578-8a4d-65e9822892e3
 3related:
 4    - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
 5      type: obsoletes
 6status: test
 7description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
 8references:
 9    - https://twitter.com/shantanukhande/status/1229348874298388484
10    - https://twitter.com/pythonresponder/status/1385064506049630211?s=21
11    - https://twitter.com/Hexacorn/status/1224848930795552769
12    - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
13    - https://twitter.com/SBousseaden/status/1167417096374050817
14    - https://twitter.com/Wietze/status/1542107456507203586
15    - https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py
16author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)
17date: 2020/02/18
18modified: 2023/05/16
19tags:
20    - attack.defense_evasion
21    - attack.credential_access
22    - attack.t1036
23    - attack.t1003.001
24    - car.2013-05-009
25logsource:
26    category: process_creation
27    product: windows
28detection:
29    selection_img:
30        - Image|endswith: '\rundll32.exe'
31        - OriginalFileName: 'RUNDLL32.EXE'
32        - CommandLine|contains: 'rundll32'
33    selection_cli_1:
34        CommandLine|contains|all:
35            - 'comsvcs'
36            - 'full'
37        CommandLine|contains:
38            - '#-'
39            - '#+'
40            - '#24'
41            - '24 '
42            - 'MiniDump' # Matches MiniDump and MinidumpW
43    selection_generic:
44        CommandLine|contains|all:
45            - '24'
46            - 'comsvcs'
47            - 'full'
48        CommandLine|contains:
49            - ' #'
50            - ',#'
51            - ', #'
52    condition: (selection_img and 1 of selection_cli_*) or selection_generic
53falsepositives:
54    - Unlikely
55level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• MiniDumpWriteDump via COM+ Services DLL

  

  Introduction This will be a very quick code-oriented post about a DLL function exported by comsvcs.dll that I was unable to find any reference to online. UPDATE: Memory Dump Analysis Anthology Volu…

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• lsassy/lsassy/dumpmethod/comsvcs.py at 14d8f8ae596ecf22b449bfe919829173b8a07635 · Hackndo/lsassy

  

  Extract credentials from lsass remotely. Contribute to Hackndo/lsassy development by creating an account on GitHub.

  
  Read More

Related rules

• HackTool - XORDump Execution
• CreateDump Process Dump
• Process Access via TrolleyExpress Exclusion
• Time Travel Debugging Utility Usage - Image
• Potential SysInternals ProcDump Evasion