Suspicious DumpMinitool Execution

calendar Apr 25, 2025 · attack.defense-evasion attack.credential-access attack.t1036 attack.t1003.001  ·
Share on: linkedin copy

Detects suspicious ways to use the "DumpMinitool.exe" binary

Sigma rule (View on GitHub)

 1title: Suspicious DumpMinitool Execution
 2id: eb1c4225-1c23-4241-8dd4-051389fde4ce
 3status: test
 4description: Detects suspicious ways to use the "DumpMinitool.exe" binary
 5references:
 6    - https://twitter.com/mrd0x/status/1511415432888131586
 7    - https://twitter.com/mrd0x/status/1511489821247684615
 8    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
 9author: Florian Roth (Nextron Systems)
10date: 2022-04-06
11modified: 2023-04-12
12tags:
13    - attack.defense-evasion
14    - attack.credential-access
15    - attack.t1036
16    - attack.t1003.001
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        - Image|endswith:
23              - '\DumpMinitool.exe'
24              - '\DumpMinitool.x86.exe'
25              - '\DumpMinitool.arm64.exe'
26        - OriginalFileName:
27              - 'DumpMinitool.exe'
28              - 'DumpMinitool.x86.exe'
29              - 'DumpMinitool.arm64.exe'
30    filter_folder:
31        Image|contains:
32            - '\Microsoft Visual Studio\'
33            - '\Extensions\'  # https://github.com/microsoft/vstest/blob/b2e2126f1aa7e5753cafe9515563c99ade6a59ce/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159
34    susp_flags:
35        CommandLine|contains: '.txt'
36    cmd_has_flags:
37        CommandLine|contains:
38            - ' Full'
39            - ' Mini'
40            - ' WithHeap'
41    filter_cmd_misses_flags:
42        CommandLine|contains: '--dumpType'
43    condition: selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) )
44falsepositives:
45    - Unknown
46level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • Dumpminitool on LOLBAS

    DumpMinitool.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

Related rules

to-top