
Summary
This detection rule is designed to identify instances of process memory dumps being executed via the `comsvcs.dll` library, specifically using the `rundll32.exe` executable. It tracks multiple techniques that can initiate such memory dumps, including the use of ordinal values and the `MiniDumpWriteDump` function. The rule focuses on analyzing the command line parameters used with `rundll32.exe`, which are indicative of the exploitation techniques for credential access and defense evasion. The detection leverages specific image selection criteria along with command line conditions to filter legitimate from potentially malicious uses of the `rundll32.exe` process in Windows environments.
Categories
- Windows
- Endpoint
Data Sources
- Process
- Logon Session
Created: 2020-02-18