This detection rule identifies instances where rundll32.exe is used to load a renamed version of the comsvcs.dll file. The method involves checking for specific import hashes that are known to be associated with malicious versions of comsvcs.dll, which can be leveraged by attackers to dump process memory and potentially extract sensitive information or compromise the system integrity. The rule specifies that it will trigger on occurrences of the rundll32.exe image loading a DLL that ends with comsvcs.dll but excludes any legitimate instances based on the exact image loaded. The identification of particular import hashes assists in filtering out benign operations and highlights potential credential access and defense evasion tactics used by adversaries. This rule is essential for threat detection in Windows environments, especially for monitoring abnormal behavior related to DLL loading by critical system processes.