Describe the behaviour you want to detect. SARA writes a starting Sigma rule with MITRE tags, false-positive guidance, and detection-engineering context. Anonymous, no account, best-effort generic detection.
title: LSASS Memory Dump via comsvcs.dll rundll32
id: 01955172-6355-44bd-9c93-e9d97bae88f7
date: 2026-06-10
status: experimental
references:
- https://docs.microsoft.com/en-us/windows-server/identity/lsa/lsa-dump
author: SARA Detection Engineering
tags:
- attack.t1003
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image: 'rundll32.exe'
CommandLine|contains|all:
- 'comsvcs.dll'
- 'DumpIt'
filter:
- Image|endswith: 'lsass.exe'
condition: selection and not filter
Sigma is the open, vendor-neutral format for log-based detections. One rule, written once, converts to Splunk SPL, Elastic ES|QL, KQL for Microsoft Sentinel, Sumo, Chronicle, QRadar, and more. Detection engineers love it for the same reason ATT&CK is the lingua franca for tactics — Sigma is the lingua franca for the queries that detect them.
You've got a fresh write-up of a TTP and need a starting detection in your stack today. Generate, tune, ship.
Pair-program with SARA: the generator produces the skeleton, the engineer learns by tuning, the team commits the result.
You have a rule in one query language; describe it in English and get the Sigma version + conversions to every other backend.
Sketch a detection idea in 30 seconds before investing in a full DE sprint.
SARA Open ships an OpenAI-compatible API. Call POST /api/v1/sigma — Plain English in, valid Sigma YAML out, with MITRE tags and false-positive guidance.
curl -X POST https://sara-open.sirp.io/api/v1/sigma \
-H "Authorization: Bearer $SARA_API_KEY" \
-H "Content-Type: application/json" \
-d '{"description": "PowerShell encoded command from Office"}'
Read the API reference →