From 63fd1189e79f2a0d3ec7b5a77299a3404d572d83 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 7 Dec 2021 12:59:20 +0100
Subject: [PATCH 1/2] rule: improved comsvcs.dll Minidump rule

---
 .../win_process_dump_rundll32_comsvcs.yml          | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
index d75fdc85a..1be515cd1 100644
--- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
+++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
@@ -7,7 +7,7 @@ references:
     - https://twitter.com/pythonresponder/status/1385064506049630211?s=21
 author: Florian Roth
 date: 2020/02/18
-modified: 2021/04/23
+modified: 2021/12/07
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -19,12 +19,14 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection_comsvcs:
         CommandLine|contains:
-            - 'comsvcs.dll,#24'
-            - 'comsvcs.dll,MiniDump'
-            - 'comsvcs.dll MiniDump'
-    condition: selection
+            - 'comsvcs.dll'
+    slection_function:
+        Commandline|contains:
+            - '#24'
+            - 'MiniDump'
+    condition: selection_comsvcs and selection_function
 falsepositives:
     - Unlikely, because no one should dump the process memory in that way
 level: high

From 1cae0164599a8949785c5c88f687a3031f2a3cc0 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 7 Dec 2021 15:05:20 +0100
Subject: [PATCH 2/2] rule: fix and extend comsvcs minidump rule

---
 .../win_process_dump_rundll32_comsvcs.yml                | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
index 1be515cd1..e41084320 100644
--- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
+++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
@@ -20,13 +20,16 @@ logsource:
     product: windows
 detection:
     selection_comsvcs:
-        CommandLine|contains:
+        CommandLine|contains: 
             - 'comsvcs.dll'
-    slection_function:
+            - 'rundll32'
+    selection_function:
         Commandline|contains:
             - '#24'
             - 'MiniDump'
-    condition: selection_comsvcs and selection_function
+    selection_full:
+        CommandLine|contains: ' full'
+    condition: all of selection*
 falsepositives:
     - Unlikely, because no one should dump the process memory in that way
 level: high