Potential Credential Access via Renamed COM+ Services DLL

Author: Elastic
Source: upstream

Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1036` Masquerading, `T1036.003` Masquerading: Rename Legitimate Utilities, `T1218` System Binary Proxy Execution, `T1218.011` System Binary Proxy Execution: Rundll32
Credential Access	`T1003` OS Credential Dumping, `T1003.001` OS Credential Dumping: LSASS Memory

Event coverage

Provider	Event ID	Title
Sysmon	7	Image loaded

Stages and Predicates

Stage 1: `eql:process`

event.category:"process" and process.name:"rundll32.exe"

Stage 2: `eql:process`

not file.name:"COMSVCS.DLL" and (file.pe.imphash:"EADBCCBB324829ACB5F2BBE87E5549A8" or file.pe.original_file_name:"COMSVCS.DLL") and data_stream.dataset:"windows.sysmon_operational" and event.category:"process"

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`file.name`	eq	`COMSVCS.DLL`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`data_stream.dataset`	wildcard	`windows.sysmon_operational`
`event.category`	eq	`process` corpus 2 (elastic 2)
`file.pe.imphash`	wildcard	`EADBCCBB324829ACB5F2BBE87E5549A8`
`file.pe.original_file_name`	wildcard	`COMSVCS.DLL`
`process.name`	wildcard	`rundll32.exe`