heroui logo

Lsass Memory Dump via Comsvcs DLL

Sigma Rules

View Source
Summary
This detection rule is designed to identify potential credential theft techniques employed by adversaries using the MiniDump feature from the comsvcs.dll library. The rule targets the execution of memory dumps from the Local Security Authority Subsystem Service (LSASS) process, which is often exploited to capture sensitive information such as passwords and other authentication tokens. The detection works by monitoring process access events for instances where rundll32.exe calls the MiniDump function on lsass.exe. Specifically, it checks if the target image ended with 'lsass.exe', the source image ended with 'rundll32.exe', and if the call trace includes 'comsvcs.dll', indicating that the memory dump function is being invoked via the component services library. This behavior is indicative of credential access attacks, particularly related to the technique T1003.001 in MITRE ATT&CK framework. The rule is part of a proactive approach to monitor and alert on activities that could signify attempts to exfiltrate sensitive credentials from the Windows operating system.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
Created: 2020-10-20