KQL Search

Query Details

HomeAI ToolsDevice Query

LSASS Dump Via Comsvcsdll

Query

# *LSASS Dump via comsvcs.dll*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1218.011 | System Binary Proxy Execution: Rundll32 | [https://attack.mitre.org/techniques/T1562/001/](https://attack.mitre.org/techniques/T1218/011/) |
| T1003 | OS Credential Dumping | https://attack.mitre.org/techniques/T1003/ |
| TA0005 | Defense Evasion | https://attack.mitre.org/tactics/TA0005/ |
| TA0006 | Credential Access | https://attack.mitre.org/tactics/TA0006/ |

#### Description
This rule detects suspicious execution patterns of rundll32.exe. Specifically, it looks for rundll32.exe being called with an obfuscated ordinal number (e.g., #+, #-, #0, #655, #656) which can be used by adversaries to obscure malicious code. Additionally, it identifies rundll32.exe attempting to perform a MiniDump of the 'comsvcs' process, which is a common technique for OS credential dumping.
This query combines Queries in a single Query created from Ayush Anand and published on https://www.securityinbits.com/detection-engineering/lsass-dump-comsvcs-rundll32/

#### Risk
Detect LSASS Dumping if you have no active Credential Guard

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://www.securityinbits.com/detection-engineering/lsass-dump-comsvcs-rundll32/


## Defender XDR
```KQL
//Combined Queries from this Article https://www.securityinbits.com/detection-engineering/lsass-dump-comsvcs-rundll32/
// Props to Ayush Anand
let ObfusOrdCall = DeviceProcessEvents
| where (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") and (ProcessCommandLine contains "#+" or ProcessCommandLine contains "#-" or ProcessCommandLine contains "#0" or ProcessCommandLine contains "#655" or ProcessCommandLine contains "#656");
let MemDumpComsvcsDLL = DeviceProcessEvents
| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") and ((ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full") and (ProcessCommandLine contains "#-" or ProcessCommandLine contains "#+" or ProcessCommandLine contains "#24" or ProcessCommandLine contains "24 " or ProcessCommandLine contains "MiniDump" or ProcessCommandLine contains "#65560"))) or ((ProcessCommandLine contains "24" and ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full") and (ProcessCommandLine contains " #" or ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #" or ProcessCommandLine contains "\"#"));
ObfusOrdCall 
| union MemDumpComsvcsDLL
```

Explanation

This query is designed to detect potentially malicious activities related to credential dumping on a Windows system. Here's a simplified explanation:

  1. Purpose: The query aims to identify suspicious uses of the rundll32.exe process, which is a legitimate Windows utility that can be exploited by attackers to execute malicious code.

  2. Techniques Detected:

    • System Binary Proxy Execution (T1218.011): This involves using legitimate system binaries, like rundll32.exe, to execute malicious code.
    • OS Credential Dumping (T1003): This is a technique used by attackers to extract credentials from the operating system, often targeting the LSASS (Local Security Authority Subsystem Service) process.
    • Defense Evasion (TA0005) and Credential Access (TA0006): These are broader tactics that include avoiding detection and gaining access to credentials, respectively.

  3. Detection Method:

    • The query looks for rundll32.exe being executed with certain patterns in its command line arguments. These patterns include obfuscated ordinal numbers (e.g., #+, #-, #0, #655, #656) that can indicate an attempt to hide malicious activity.
    • It also checks for rundll32.exe trying to perform a memory dump of the comsvcs process, which is a known method for extracting credentials from LSASS.

  4. Risk: This activity is particularly concerning if Credential Guard, a security feature that helps protect credentials, is not active on the system.

  5. Author and References: The query was created by Benjamin Zulliger, and it builds on work by Ayush Anand, as detailed on the Security in Bits website.

In summary, this query helps security analysts detect potential credential dumping attempts using rundll32.exe in a way that tries to evade detection by using obfuscation techniques.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 10, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

letendswithor=~containsandunionwhere

Actions