```yaml title: LSASS Memory Dump via Comsvcs.dll id: edr-win-cred-lsass-minidump status: stable description: > Detects LSASS credential dumping via rundll32.exe invoking the MiniDump export from comsvcs.dll. This is a native Windows technique requiring no external tooling — the attacker only needs administrative privileges and SeDebugPrivilege. Widely used across Akira, Qilin, Conti, and virtually every RaaS operation. references: - https://lolbas-project.github.io/#/LOLBins/Comsvcs - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.credential_access - attack.t1003.001 logsource: category: process_creation product: windows detection: selection_comsvcs: Image|endswith: '\rundll32.exe' CommandLine|contains|all: - 'comsvcs.dll' - 'lsass' selection_dmp: CommandLine|contains: 'lsass.dmp' condition: selection_comsvcs or selection_dmp falsepositives: - Legitimate crash dump collection (should reference specific dump paths, not arbitrary) level: high ```