Potentially Suspicious DMP/HDMP File Creation
Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
Sigma rule (View on GitHub)
1title: Potentially Suspicious DMP/HDMP File Creation
2id: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c
3related:
4 - id: 3a525307-d100-48ae-b3b9-0964699d7f97
5 type: similar
6status: test
7description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
8references:
9 - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-09-07
12tags:
13 - attack.defense-evasion
14logsource:
15 category: file_event
16 product: windows
17detection:
18 selection:
19 Image|endswith:
20 - '\cmd.exe'
21 - '\cscript.exe'
22 - '\mshta.exe'
23 - '\powershell.exe'
24 - '\pwsh.exe'
25 - '\wscript.exe'
26 TargetFilename|endswith:
27 - '.dmp'
28 - '.dump'
29 - '.hdmp'
30 condition: selection
31falsepositives:
32 - Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
33level: medium
References
-
Starting with Windows Server 2008 and Windows Vista with Service Pack 1 (SP1), Windows Error Reporting (WER) can be configured so that full user-mode dumps are collected and stored locally after a user-mode application crashes.
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity