Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Renamed Comsvcs DLL Loaded By Rundll32

Detects rundll32 loading a renamed comsvcs.dll to dump process memory

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Sun Aug 14Updated Fri Feb 178cde342c-ba48-4b74-b615-172c330f2e93windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        Hashes|contains:
            # Add more hashes for other windows versions
            - IMPHASH=eed93054cb555f3de70eaa9787f32ebb # Windows 11 21H2 x64
            - IMPHASH=5e0dbdec1fce52daae251a110b4f309d # Windows 10 1607
            - IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 # Windows 10 1809
            - IMPHASH=407ca0f7b523319d758a40d7c0193699 # Windows 10 2004 x64
            - IMPHASH=281d618f4e6271e527e6386ea6f748de # Windows 10 2004 x86
    filter:
        ImageLoaded|endswith: '\comsvcs.dll'
    condition: selection and not filter
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
twitter.com
MITRE ATT&CK
Rule Metadata
Rule ID
8cde342c-ba48-4b74-b615-172c330f2e93
Status
test
Level
high
Type
Detection
Created
Sun Aug 14
Modified
Fri Feb 17
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml
Raw Tags
attack.credential-accessattack.defense-evasionattack.t1003.001
View on GitHub