[metadata] creation_date = "2021/10/17" integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/02/22" [rule] author = ["Elastic"] description = """ Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Renamed COM+ Services DLL" note = """## Setup You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original File Name.""" references = ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"] risk_score = 73 rule_id = "c5c9f591-d111-4cf8-baec-c26a39bc31ef" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] type = "eql" query = ''' sequence by process.entity_id with maxspan=1m [process where host.os.type == "windows" and event.category == "process" and process.name : "rundll32.exe"] [process where host.os.type == "windows" and event.category == "process" and event.dataset : "windows.sysmon_operational" and event.code == "7" and (file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash : "EADBCCBB324829ACB5F2BBE87E5549A8") and /* renamed COMSVCS */ not file.name : "COMSVCS.DLL"] ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/"