Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in preparation for credential access.
Rule type: eql
Risk score: 73
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
- Credential Access
Added (Elastic Stack release): 8.0.0
Rule authors: Elastic
Rule license: Elastic License v2
## Config You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original File Name.
sequence by process.entity_id with maxspan=1m [process where event.category == "process" and process.name : "rundll32.exe"] [process where event.category == "process" and event.dataset : "windows.sysmon_operational" and event.code == "7" and (file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash : "EADBCCBB324829ACB5F2BBE87E5549A8") and /* renamed COMSVCS */ not file.name : "COMSVCS.DLL"]