Process memory dumped using the minidump functions of comsvcs.dll
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect the minidump function of comsvcs.dll being used to dump process memory.
Strategy
Threat actors are known to utilize tools found natively in a victim’s environment to accomplish their objectives. Comsvcs.dll, a legitimate Windows dll, has been abused by malicious actors in the past to dump process memory, notably from LSASS in an attempt to extract credentials.
Triage and response
- Identify what process is being dumped, and confirm if authorized or expected.
- If it’s not authorized, isolate the host from the network.
- Follow your organization’s internal processes for investigating and remediating compromised systems.
Requires Agent version 7.50.0 or greater.
This rule is a part of the beta for detections on Windows! If you would like to try the new Windows agent, create a support ticket and indicate that you wish to join the Cloud Security Management - Windows beta.
