Crash Dump Created By Operating System

 1title: Crash Dump Created By Operating System
 2id: 882fbe50-d8d7-4e29-ae80-0648a8556866
 3related:
 4    - id: 2ff692c2-4594-41ec-8fcb-46587de769e0
 5      type: similar
 6status: experimental
 7description: Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
 8references:
 9    - https://www.sans.edu/cyber-research/from-crash-compromise-unlocking-potential-windows-crash-dumps-offensive-security/
10    - https://jasonmull.com/articles/offensive/2025-05-12-windows-crash-dumps-offensive-security/
11author: Jason Mull
12date: 2025-05-12
13tags:
14    - attack.credential-access
15    - attack.collection
16    - attack.t1003.002
17    - attack.t1005
18logsource:
19    product: windows
20    service: system
21detection:
22    selection:
23        Provider_Name: 'Microsoft-Windows-WER-SystemErrorReporting'
24        EventID: 1001
25    condition: selection
26level: medium

References

• From Crash to Compromise: Unlocking the Potential of Windows Crash Dumps in Offensive Security | SANS Institute

  From Crash to Compromise: Unlocking the Potential of Windows Crash Dumps in Offensive Security | SANS Institute

  
  Read More

• From Crash to Compromise: Unlocking the Potential of Windows Crash Dumps in Offensive Security

  A look into how how Windows crash dump files—often ignored in offensive operations—can be weaponized to extract sensitive data like credentials and encryption keys without noisy memory dumping techniques, while also exploring detection strategies for defenders.

  
  Read More

Related rules

• Cisco Collect Data
• SQLite Chromium Profile Data DB Access
• SQLite Firefox Profile Data DB Access
• Browser Started with Remote Debugging
• Potential Data Stealing Via Chromium Headless Debugging