Detectionhightest

Process Memory Dump Via Comsvcs.DLL

Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)Created Tue Feb 18Updated Sun Feb 23646ea171-dded-4578-8a4d-65e9822892e3windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
        - CommandLine|contains: 'rundll32'
    selection_cli_1:
        CommandLine|contains|all:
            - 'comsvcs'
            - 'full'
        CommandLine|contains:
            - '#-'
            - '#+'
            - '#24'
            - '24 '
            - 'MiniDump' # Matches MiniDump and MinidumpW
            - '#65560' # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around.  for e.g ordinal 24 can be also represented by 65560 (65536+24)
    selection_generic:
        CommandLine|contains|all:
            - '24'
            - 'comsvcs'
            - 'full'
        CommandLine|contains:
            - ' #'
            - ',#'
            - ', #'
            - '"#'
    condition: (selection_img and 1 of selection_cli_*) or selection_generic