Suspicious DumpMinitool Execution
Detects suspicious ways to use the "DumpMinitool.exe" binary
Sigma rule (View on GitHub)
1title: Suspicious DumpMinitool Execution
2id: eb1c4225-1c23-4241-8dd4-051389fde4ce
3status: test
4description: Detects suspicious ways to use the "DumpMinitool.exe" binary
5references:
6 - https://twitter.com/mrd0x/status/1511415432888131586
7 - https://twitter.com/mrd0x/status/1511489821247684615
8 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
9author: Florian Roth (Nextron Systems)
10date: 2022/04/06
11modified: 2023/04/12
12tags:
13 - attack.defense_evasion
14 - attack.t1036
15 - attack.t1003.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 - Image|endswith:
22 - '\DumpMinitool.exe'
23 - '\DumpMinitool.x86.exe'
24 - '\DumpMinitool.arm64.exe'
25 - OriginalFileName:
26 - 'DumpMinitool.exe'
27 - 'DumpMinitool.x86.exe'
28 - 'DumpMinitool.arm64.exe'
29 filter_folder:
30 Image|contains:
31 - '\Microsoft Visual Studio\'
32 - '\Extensions\' # https://github.com/microsoft/vstest/blob/b2e2126f1aa7e5753cafe9515563c99ade6a59ce/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159
33 susp_flags:
34 CommandLine|contains: '.txt'
35 cmd_has_flags:
36 CommandLine|contains:
37 - ' Full'
38 - ' Mini'
39 - ' WithHeap'
40 filter_cmd_misses_flags:
41 CommandLine|contains: '--dumpType'
42 condition: selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) )
43falsepositives:
44 - Unknown
45level: high
References
-
-
-
Creates a memory dump of the lsass process DumpMinitool.exe --file c:\users\mr.d0x\dump.txt --processId 1132 --dumpType Full Use caseCreate memory dump and parse it offline Privileges requiredAdmin...
Read More
Related rules
- DumpMinitool Execution
- Procdump Execution
- Renamed CreateDump Utility Execution
- HackTool - XORDump Execution
- Process Memory Dump Via Comsvcs.DLL