DMP/HDMP File Creation

calendar Oct 28, 2023 · attack.defense_evasion  ·
Share on: linkedin copy

Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.

Sigma rule (View on GitHub)

 1title: DMP/HDMP File Creation
 2id: 3a525307-d100-48ae-b3b9-0964699d7f97
 3status: experimental
 4description: Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
 5references:
 6    - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/09/07
 9tags:
10    - attack.defense_evasion
11logsource:
12    category: file_event
13    product: windows
14detection:
15    selection:
16        TargetFilename|endswith:
17            - '.dmp'
18            - '.dump'
19            - '.hdmp'
20    condition: selection
21falsepositives:
22    - Likely during crashes of software
23level: low

References

  • Collecting User-Mode Dumps - Win32 apps

    Starting with Windows Server 2008 and Windows Vista with Service Pack 1 (SP1), Windows Error Reporting (WER) can be configured so that full user-mode dumps are collected and stored locally after a user-mode application crashes.


    Read More

Related rules

to-top