Process Memory Dump Via Comsvcs.DLL
Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
Sigma rule (View on GitHub)
1title: Process Memory Dump Via Comsvcs.DLL
2id: 646ea171-dded-4578-8a4d-65e9822892e3
3related:
4 - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
5 type: obsolete
6status: test
7description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
8references:
9 - https://twitter.com/shantanukhande/status/1229348874298388484
10 - https://twitter.com/pythonresponder/status/1385064506049630211?s=21
11 - https://twitter.com/Hexacorn/status/1224848930795552769
12 - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
13 - https://twitter.com/SBousseaden/status/1167417096374050817
14 - https://twitter.com/Wietze/status/1542107456507203586
15 - https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py
16 - https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
17author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
18date: 2020-02-18
19modified: 2025-02-23
20tags:
21 - attack.defense-evasion
22 - attack.credential-access
23 - attack.t1036
24 - attack.t1003.001
25 - car.2013-05-009
26logsource:
27 category: process_creation
28 product: windows
29detection:
30 selection_img:
31 - Image|endswith: '\rundll32.exe'
32 - OriginalFileName: 'RUNDLL32.EXE'
33 - CommandLine|contains: 'rundll32'
34 selection_cli_1:
35 CommandLine|contains|all:
36 - 'comsvcs'
37 - 'full'
38 CommandLine|contains:
39 - '#-'
40 - '#+'
41 - '#24'
42 - '24 '
43 - 'MiniDump' # Matches MiniDump and MinidumpW
44 - '#65560' # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around. for e.g ordinal 24 can be also represented by 65560 (65536+24)
45 selection_generic:
46 CommandLine|contains|all:
47 - '24'
48 - 'comsvcs'
49 - 'full'
50 CommandLine|contains:
51 - ' #'
52 - ',#'
53 - ', #'
54 - '"#'
55 condition: (selection_img and 1 of selection_cli_*) or selection_generic
56falsepositives:
57 - Unlikely
58level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Introduction This will be a very quick code-oriented post about a DLL function exported by comsvcs.dll that I was unable to find any reference to online. UPDATE: Memory Dump Analysis Anthology Volu…
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Extract credentials from lsass remotely. Contribute to login-securite/lsassy development by creating an account on GitHub.
Read More
Related rules
- Potential LSASS Process Dump Via Procdump
- CreateDump Process Dump
- DumpMinitool Execution
- HackTool - XORDump Execution
- NotPetya Ransomware Activity