LSASS Dump via comsvcs.dll: Defender Detection Guide

Source: Securityinbits

Author: Ayush Anand

URL: https://www.securityinbits.com/detection-engineering/lsass-dump-comsvcs-rundll32/

LSASS Dump via comsvcs.dll: Defender Detection Guide

ONE SENTENCE SUMMARY:

The query filters device process events for suspicious rundll32.exe activity involving specific command line patterns indicating potential threats.

MAIN POINTS:

1. Filters DeviceProcessEvents for suspicious rundll32.exe activity.
2. Targets FolderPath ending with “\rundll32.exe”.
3. Includes processes with OriginalFileName “RUNDLL32.EXE”.
4. Searches for ProcessCommandLine containing “rundll32”.
5. Detects command line patterns: “#+”, “#-“, “#0”.
6. Includes command patterns “#655” and “#656”.
7. Aims to identify potential security threats.
8. Uses specific command line criteria for filtering.
9. Focuses on unusual rundll32.exe execution.
10. Enhances threat detection in device processes.

TAKEAWAYS:

1. Rundll32.exe processes with unusual commands may indicate a threat.
2. Specific command line patterns are crucial for detection.
3. Filtering by executable name helps narrow down suspicious activity.
4. Command lines with specific patterns signal potential malicious behavior.
5. It’s essential for detecting and mitigating security threats.