Potential Credential Access via Renamed COM+ Services DLL

This detection identifies a suspicious technique where an attacker renames the COMSVCS.DLL, a legitimate Windows component, and then loads it using rundll32.exe. COMSVCS.DLL contains the MiniDumpWriteDump function, which can be used to create a memory dump of a running process. Attackers abuse this technique to dump the LSASS process memory, where credentials are often stored, while attempting to bypass traditional command-line monitoring that might detect direct use of MiniDumpWriteDump. The renaming of the DLL is a defense evasion tactic to avoid detection based on the DLL’s original name. This activity is a strong indicator of potential credential access and requires immediate investigation. The rule specifically looks for renamed COMSVCS.DLL with a matching original filename or imphash being loaded by rundll32.exe.

Attack Chain

1. Attacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.
2. The attacker copies the legitimate COMSVCS.DLL to a new location on the disk, often a temporary directory.
3. The attacker renames the copied COMSVCS.DLL to an arbitrary name to evade detection.
4. The attacker uses rundll32.exe to load the renamed COMSVCS.DLL.
5. The rundll32.exe process executes the MiniDumpWriteDump function exported by the renamed COMSVCS.DLL.
6. The MiniDumpWriteDump function targets the LSASS process, creating a memory dump file.
7. The attacker retrieves the LSASS memory dump file.
8. The attacker uses credential extraction tools to obtain credentials from the dumped LSASS memory.

Impact

Successful execution of this attack chain can lead to the compromise of sensitive credentials stored in LSASS memory, including domain administrator accounts. This allows the attacker to move laterally within the network, gain access to critical systems, and potentially exfiltrate sensitive data or deploy ransomware. The impact is high due to the potential for widespread compromise and data breach.

Recommendation

• Enable Sysmon image load logging (Event ID 7) to detect the loading of DLLs, which is essential for this detection.
• Deploy the “Potential Credential Access via Renamed COM+ Services DLL” Sigma rule to your SIEM to identify instances of renamed COMSVCS.DLL being loaded by rundll32.exe.
• Monitor for rundll32.exe processes loading DLLs from unusual locations, as this could indicate malicious activity.
• Investigate any alerts generated by the Sigma rule, focusing on the process that loaded the renamed DLL and any subsequent activity.
• Use the IOC (MD5 hash of COMSVCS.DLL imphash: EADBCCBB324829ACB5F2BBE87E5549A8) to search for instances of COMSVCS.DLL copies on your systems.
• Enforce strict access control policies to prevent unauthorized users from copying and renaming system DLLs.