Detectionhightest

Lsass Memory Dump via Comsvcs DLL

Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Tue Oct 20Updated Wed Nov 29a49fa4d5-11db-418c-8473-1e014a8dd462windows

Log Source

WindowsProcess Access

ProductWindows← raw: windows

CategoryProcess Access← raw: process_access

Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.

Detection Logic

detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|endswith: '\rundll32.exe'
        CallTrace|contains: 'comsvcs.dll'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.001 · LSASS Memory

Rule Metadata

Rule ID

a49fa4d5-11db-418c-8473-1e014a8dd462

Status

test

Level

high

Type

Detection

Created

Tue Oct 20

Modified

Wed Nov 29

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Path

rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml

Raw Tags

attack.credential-accessattack.t1003.001

View on GitHub