Date: 02/27/2025
Severity: High
Summary
"Process Memory Dump via Comsvcs.DLL" refers to techniques used to detect process memory dumps involving the "comsvcs.dll" file, often executed through "rundll32." This method covers various techniques, such as ordinal and minidump functions, used to create and analyze memory dumps, which can be leveraged for malicious purposes or debugging.
Indicators of Compromise (IOC) List
Image | '\rundll32.exe' |
Originalfilename | 'RUNDLL32.EXE' |
CommandLine | 'rundll32' 'comsvcs' 'full' '#-' '#+' '#24' '24 ' 'MiniDump' '#65560' '24' 'comsvcs' 'full' ' #' ',#' ', #' '"#' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourcename = "Windows Security" AND eventtype = "4688") AND (processname like "RUNDLL32.EXE" AND newprocessname like "\rundll32.exe" AND commandline like "rundll32") AND (((commandline like "comsvcs" AND commandline like "full") OR (commandline like "#-" or commandline like "#+" or commandline like "#24" or commandline like "MiniDump" or commandline like "#65560")) OR ((commandline like "24" AND commandline like "comsvcs" AND commandline like "full") AND (commandline like " #" or commandline like ",#" or commandline like ", #" or commandline like "\"#"))) |
Detection Query 2 | (technologygroup = "EDR") AND (processname like "RUNDLL32.EXE" AND newprocessname like "\rundll32.exe" AND commandline like "rundll32") AND (((commandline like "comsvcs" AND commandline like "full") OR (commandline like "#-" or commandline like "#+" or commandline like "#24" or commandline like "MiniDump" or commandline like "#65560")) OR ((commandline like "24" AND commandline like "comsvcs" AND commandline like "full") AND (commandline like " #" or commandline like ",#" or commandline like ", #" or commandline like "\"#"))) |
Detection Query 3 | (resourcename = "sysmon" AND eventtype = "1") AND (processname like "RUNDLL32.EXE" AND newprocessname like "\rundll32.exe" AND commandline like "rundll32") AND (((commandline like "comsvcs" AND commandline like "full") OR (commandline like "#-" or commandline like "#+" or commandline like "#24" or commandline like "MiniDump" or commandline like "#65560")) OR ((commandline like "24" AND commandline like "comsvcs" AND commandline like "full") AND (commandline like " #" or commandline like ",#" or commandline like ", #" or commandline like "\"#"))) |
Detection Query 4 | (technologygroup = "EDR") AND (processname like "RUNDLL32.EXE" AND newprocessname like "\rundll32.exe" AND commandline like "rundll32") AND (((commandline like "comsvcs" AND commandline like "full") OR (commandline like "#-" or commandline like "#+" or commandline like "#24" or commandline like "MiniDump" or commandline like "#65560")) OR ((commandline like "24" AND commandline like "comsvcs" AND commandline like "full") AND (commandline like " #" or commandline like ",#" or commandline like ", #" or commandline like "\"#"))) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml