« User account exposed to Kerberoasting Suspicious Lsass Process Access »
Elastic Docs Elastic Security [8.19] Downloadable rule update v8.19.23

Potential Credential Access via Renamed COM+ Services DLL

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Potential Credential Access via Renamed COM+ Services DLL

edit

Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-windows.sysmon_operational-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Credential Access
  • Tactic: Defense Evasion
  • Data Source: Sysmon
  • Resources: Investigation Guide

Version: 214

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Potential Credential Access via Renamed COM+ Services DLL

Possible investigation steps

  • What did the sequence source events prove about the loader and renamed COMSVCS image?
  • Why: Timeline source events are required for grouped meaning; renamed COMSVCS can bypass command-line-only checks, so image-load PE identity matters.
  • Focus: recover source events, confirm shared process.entity_id, and review the rundll32.exe start plus image-load file.path, file.name, file.pe.original_file_name, and file.pe.imphash.
  • Implication: escalate when the same rundll32.exe instance loaded a renamed image whose original name or imphash maps to COMSVCS; lower suspicion only when source events and renamed path fit an authorized lab or debugging reproduction on the same host.id and user.id.
  • Does the rundll32 command line and launch context show MiniDump intent?
  • Focus: recovered process-start process.command_line, process.parent.executable, process.parent.command_line, and user.id.
  • Implication: escalate when the command line invokes MiniDump or MiniDumpW with target PID, dump path, and full, or the parent is an unexpected script, shell, archive, or remote tool; lower suspicion only when parent, user, and host match the authorized test context.
  • Was the renamed COMSVCS DLL staged or renamed immediately before rundll32 loaded it?
  • Focus: loaded file.path, endpoint file telemetry on host.id and recovered process.entity_id, plus process.executable, file.Ext.original.path, and file.Ext.original.name. !{investigate{"description":"","label":"File activity for the alerting process and children","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"file","valueType":"string"}],[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"file","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
  • Hint: missing file-create or rename telemetry leaves provenance unresolved, not benign; bound findings to observed timing and lineage.
  • Implication: escalate when a different suspicious process copied or renamed COMSVCS into a user-writable, temporary, or deceptive path shortly before the load; lower suspicion only when a lab or debugging tool created the same controlled artifact in an expected test path.
  • Did the same process produce dump artifacts or credential-staging evidence?
  • Focus: child-process events where process.parent.entity_id matches the alerting process.entity_id, child process.command_line, and endpoint file telemetry when available for file.path, file.extension, and file.size dump, archive, or staging output. !{investigate{"description":"","label":"Child processes of the alerting process","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
  • Implication: escalate when the process or descendants write dump-like files, archives, or credential-access artifacts after MiniDump parameters; keep unresolved when telemetry is missing, and lower suspicion only when output stays confined to the authorized test target and path.
  • If local evidence is suspicious or incomplete, do related alerts expand the scope?
  • Focus: recent alerts for user.id. !{investigate{"description":"","label":"Alerts associated with the user","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
  • Hint: compare with recent alerts for host.id to distinguish user-linked activity from host-local spread. !{investigate{"description":"","label":"Alerts associated with the host","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
  • Implication: expand response scope when the same user or host has related dumping, defense-evasion, or intrusion alerts; keep scope local only when related alerts are absent and the recovered loader evidence is fully resolved.
  • Escalate when source-event identity, MiniDump intent, parent lineage, provenance, artifacts, or related alerts support abuse; close only when recovered source events, available file evidence, and outside confirmation bind one exact authorized lab or debugging workflow; preserve and escalate when evidence is mixed or incomplete.

False positive analysis

  • Renaming COMSVCS for rundll32.exe loading is an operational anti-pattern. Close as benign only for authorized malware research, internal detonation, or debugging reproduction where source events, launcher parent, user.id, host.id, recovered renamed-DLL identity, and any dump output all align with the same test case. Without lab records, recurrence of the same loader chain, controlled artifact identity, host or user scope, and bounded follow-on pattern can support a candidate exception, but not closure. Do not close if any anchor diverges.
  • Build exceptions only from the minimum confirmed workflow: parent process, controlled renamed-DLL artifact identity, host.id, user.id, and bounded output path. Avoid exceptions on rundll32.exe, COMSVCS identity, or the imphash alone because those values also describe the abuse technique.

Response and remediation

  • If confirmed benign, reverse any temporary containment and document the parent process, controlled renamed-DLL artifact identity, output path, host.id, and user.id that proved the authorized test. Keep exceptions narrow and require recurrence of the same workflow.
  • If suspicious but unconfirmed, preserve the Timeline source events, recovered process identifiers, command line, parent context, renamed-DLL artifact details, staging evidence, and any dump or archive artifacts before containment. Apply reversible containment such as host isolation with criticality review or heightened monitoring on the affected host.id; avoid process termination or file deletion until evidence is preserved.
  • If confirmed malicious, isolate the affected host.id after preserving source events, process context, renamed DLL, dump artifacts, and related-alert evidence. If direct response is unavailable, escalate with the preserved evidence set to the team that can act.
  • Eradicate only the renamed DLL, dump files, archives, and staged artifacts identified during the investigation, then search the same host and related-alert scope for additional credential-dumping components. Reset or rotate credentials when dump artifacts, LSASS targeting, or privileged-host context indicate likely exposure.
  • Post-incident hardening: restrict COMSVCS dump testing to controlled lab hosts, retain Sysmon image-load and file-create telemetry where it limited the case, and document the confirmed workflow or malicious artifact set for future triage.

Setup

edit

Setup

This rule requires Sysmon telemetry to be enabled and ingested.

Setup instructions: https://ela.st/sysmon-event-7-setup

Rule query

edit
sequence by process.entity_id with maxspan=1m
 [process where host.os.type == "windows" and event.type == "start" and process.name : "rundll32.exe"]
 [process where host.os.type == "windows" and event.code == "7" and
   (file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash : "EADBCCBB324829ACB5F2BBE87E5549A8") and
   /* renamed COMSVCS */
   not file.name : "COMSVCS.DLL"]

Framework: MITRE ATT&CKTM

« User account exposed to Kerberoasting Suspicious Lsass Process Access »