Process Memory Dump via Comsvcs.DLL

    Date: 02/27/2025

    Severity: High

    Summary

    "Process Memory Dump via Comsvcs.DLL" refers to techniques used to detect process memory dumps involving the "comsvcs.dll" file, often executed through "rundll32." This method covers various techniques, such as ordinal and minidump functions, used to create and analyze memory dumps, which can be leveraged for malicious purposes or debugging.

    Indicators of Compromise (IOC) List

    Image

    '\rundll32.exe'

    Originalfilename

    'RUNDLL32.EXE'

    CommandLine

    'rundll32'

    'comsvcs'

    'full'

    '#-'

    '#+'

    '#24'

    '24 '

    'MiniDump'

    '#65560'

    '24'

    'comsvcs'

    'full'

    ' #'

    ',#'

    ', #'

    '"#'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename = "Windows Security"  AND eventtype = "4688") AND (processname like "RUNDLL32.EXE" AND newprocessname like "\rundll32.exe" AND commandline like "rundll32") AND (((commandline like "comsvcs" AND commandline like "full") OR (commandline like "#-" or commandline like "#+" or commandline like "#24" or commandline like "MiniDump" or commandline like "#65560")) OR ((commandline like "24" AND commandline like "comsvcs" AND commandline like "full") AND (commandline like " #" or commandline like ",#" or commandline like ", #" or commandline like "\"#")))

    Detection Query 2

    (technologygroup = "EDR") AND (processname like "RUNDLL32.EXE" AND newprocessname like "\rundll32.exe" AND commandline like "rundll32") AND (((commandline like "comsvcs" AND commandline like "full") OR (commandline like "#-" or commandline like "#+" or commandline like "#24" or commandline like "MiniDump" or commandline like "#65560")) OR ((commandline like "24" AND commandline like "comsvcs" AND commandline like "full") AND (commandline like " #" or commandline like ",#" or commandline like ", #" or commandline like "\"#")))

    Detection Query 3

    (resourcename = "sysmon"  AND eventtype = "1") AND (processname like "RUNDLL32.EXE" AND newprocessname like "\rundll32.exe" AND commandline like "rundll32") AND (((commandline like "comsvcs" AND commandline like "full") OR (commandline like "#-" or commandline like "#+" or commandline like "#24" or commandline like "MiniDump" or commandline like "#65560")) OR ((commandline like "24" AND commandline like "comsvcs" AND commandline like "full") AND (commandline like " #" or commandline like ",#" or commandline like ", #" or commandline like "\"#")))

    Detection Query 4

    (technologygroup = "EDR") AND (processname like "RUNDLL32.EXE" AND newprocessname like "\rundll32.exe" AND commandline like "rundll32") AND (((commandline like "comsvcs" AND commandline like "full") OR (commandline like "#-" or commandline like "#+" or commandline like "#24" or commandline like "MiniDump" or commandline like "#65560")) OR ((commandline like "24" AND commandline like "comsvcs" AND commandline like "full") AND (commandline like " #" or commandline like ",#" or commandline like ", #" or commandline like "\"#")))

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml


    Tags

    SigmaExploitMemory Dump

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags