Potential Credential Access via Renamed COM+ Services DLL

Elastic Stack Serverless Security

Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in preparation for credential access.

Rule type: eql

Rule indices:

winlogbeat-*
logs-windows.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/

Tags:

Elastic
Host
Windows
Threat Detection
Credential Access

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

Config

You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original
File Name.

Rule query

		sequence by process.entity_id with maxspan=1m
 [process where event.category == "process" and
    process.name : "rundll32.exe"]
 [process where event.category == "process" and event.dataset : "windows.sysmon_operational" and event.code == "7" and
   (file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash : "EADBCCBB324829ACB5F2BBE87E5549A8") and
    /* renamed COMSVCS */
    not file.name : "COMSVCS.DLL"]

	

Framework: MITRE ATT&CKTM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/
Sub-technique:
- Name: LSASS Memory
- ID: T1003.001
- Reference URL: https://attack.mitre.org/techniques/T1003/001/