title: Process Dump via Rundll32 and Comsvcs.dll
id: 646ea171-dded-4578-8a4d-65e9822892e3
description: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
status: experimental
references:
    - https://twitter.com/shantanukhande/status/1229348874298388484
    - https://twitter.com/pythonresponder/status/1385064506049630211?s=21
author: Florian Roth
date: 2020/02/18
modified: 2021/04/23
tags:
    - attack.defense_evasion
    - attack.t1036
    - attack.credential_access
    - attack.t1003 # an old one
    - car.2013-05-009
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'comsvcs.dll,#24'
            - 'comsvcs.dll,MiniDump'
            - 'comsvcs.dll MiniDump'
    condition: selection
falsepositives:
    - Unlikely, because no one should dump the process memory in that way
level: high