
Summary
This rule detects potential credential access via suspicious instances of the rundll32.exe process loading a renamed COMSVCS.DLL image, which is a Windows library that provides the MiniDump function used for process memory dumping. This behavior often suggests attempts to dump the LSASS (Local Security Authority Subsystem Service) memory to obtain sensitive credential information while evading detection. The rule executes a sequence query that detects processes meeting certain criteria: it checks for any execution of rundll32.exe followed by the loading of a COMSVCS.DLL variant that has been renamed, indicating potential credential theft efforts. False positives may occur during legitimate software development or troubleshooting when rundll32.exe accesses this DLL under non-malicious contexts. The accompanying investigation guide outlines steps to analyze the process execution chain and identify any unusual activities that might confirm malicious intent. A high-risk score of 73 highlights the serious nature of this detection.
Categories
- Windows
- Endpoint
Data Sources
- Process
- Windows Registry
ATT&CK Techniques
- T1003
- T1003.001
- T1218
- T1218.011
Created: 2021-10-17