هندسة الكشف وSIEM — Sigma و KQL و Splunk

title: LSASS Memory Dump via comsvcs.dll
id: a8e2d456-1234-5678-9abc-def012345678
status: stable
description: Detects MiniDump of LSASS using rundll32 and comsvcs.dll
references:
  - https://attack.mitre.org/techniques/T1003/001/
author: Detection Eng Team
date: 2026/01/15
tags:
  - attack.credential_access
  - attack.t1003.001
logsource:
  product: windows
  service: sysmon
detection:
  selection_proc:
    EventID: 10
    TargetImage|endswith: '\lsass.exe'
  selection_caller:
    SourceImage|endswith: '\rundll32.exe'
    CallTrace|contains: 'comsvcs.dll'
  condition: selection_proc and selection_caller
falsepositives:
  - Microsoft tools that legitimately call MiniDumpWriteDump (rare)
level: high

// Same hypothesis in KQL against DeviceProcessEvents
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "rundll32.exe"
| where ProcessCommandLine has_all ("comsvcs.dll", "MiniDump")
| where ProcessCommandLine has "lsass" or ProcessCommandLine matches regex @"\b\d{3,5}\b"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc

// Pivot: who logged on to that host before the dump?
DeviceLogonEvents
| where DeviceName == "WS-EXEC-04"
| where Timestamp between ((ago(2h)) .. (now()))
| project Timestamp, AccountName, LogonType, RemoteIP

index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
| where match(SourceImage,"rundll32\.exe")
| where match(CallTrace,"comsvcs\.dll")
| stats count by host, SourceImage, GrantedAccess, _time
| where count > 0

// Hunting variant: any process that accessed LSASS with high rights
index=sysmon EventCode=10 TargetImage="*lsass.exe" GrantedAccess IN (0x1010, 0x1410, 0x1438)
| stats values(SourceImage) as accessors, count by host
| where count > 5