Detection: Windows Rundll32 Comsvcs Memory Dump

Date: 2022-04-14 ID: 76bb9e35-f314-4c3d-a385-83c72a13ce4e Author: Jose Hernandez, Michael Haag, Splunk Type: TTP Product: Splunk User Behavior Analytics

Description

The following analytic identifies memory dumping using comsvcs.dll with the minidump function with rundll32.exe. This technique is common with adversaries who would like to dump the memory of lsass.exe.

Annotations

No annotations available.

Implementation

You must be ingesting endpoint data that tracks process activity, including Windows command line logging. You can see how we test this with Event Code 4688 on the attack_range.

Known False Positives

False positives should be limited, filter as needed.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
A dump of a process was attempted using comsvcs.dll with the minidump function on endpoint $dest_device_id$ by user $dest_device_user$.	40	40	100

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Version: 8