From 33bdfd124dd0c5e1fc03315da9a48aaa97a29d71 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 8 Dec 2021 10:02:21 +0100
Subject: [PATCH] refactor: comsvcs.dll adjustments - run by ordinal variants

---
 other/godmode_sigma_rule.yml                             | 6 +++++-
 .../win_process_dump_rundll32_comsvcs.yml                | 9 +++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/other/godmode_sigma_rule.yml b/other/godmode_sigma_rule.yml
index 67969b7bc..9c90a426a 100644
--- a/other/godmode_sigma_rule.yml
+++ b/other/godmode_sigma_rule.yml
@@ -19,7 +19,7 @@ description: 'PoC rule to detect malicious activity - following the principle: i
 status: experimental
 author: Florian Roth
 date: 2019/12/22
-modified: 2020/05/18
+modified: 2021/12/08
 level: high
 action: global
 ---
@@ -54,6 +54,10 @@ detection:
             - 'schtasks* /create *AppData'  # Scheduled task creation pointing to AppData
             - ' comsvcs.dll,MiniDump'  # Process dumping method apart from procdump
             - ' comsvcs.dll,#24'  # Process dumping method apart from procdump
+            - ' comsvcs.dll MiniDump'  # Process dumping method apart from procdump
+            - ' comsvcs.dll #24'  # Process dumping method apart from procdump
+            - 'MiniDump full'  # Process dumping method apart from procdump
+            - '#24 full'  # Process dumping method apart from procdump
     selection_parent_child:
         ParentImage|contains:
             # Office Dropper Detection
diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
index e41084320..c261b918a 100644
--- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
+++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
@@ -5,9 +5,10 @@ status: experimental
 references:
     - https://twitter.com/shantanukhande/status/1229348874298388484
     - https://twitter.com/pythonresponder/status/1385064506049630211?s=21
+    - https://twitter.com/Hexacorn/status/1224848930795552769
 author: Florian Roth
 date: 2020/02/18
-modified: 2021/12/07
+modified: 2021/12/08
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -23,13 +24,17 @@ detection:
         CommandLine|contains: 
             - 'comsvcs.dll'
             - 'rundll32'
+            - '.dmp'
     selection_function:
         Commandline|contains:
             - '#24'
+            - '#+24'
             - 'MiniDump'
     selection_full:
         CommandLine|contains: ' full'
-    condition: all of selection*
+    unique_selection:
+        CommandLine|contains: '#-4294967272'  # https://twitter.com/Hexacorn/status/1224848930795552769
+    condition: all of selection* or unique_selection
 falsepositives:
     - Unlikely, because no one should dump the process memory in that way
 level: high