Renamed ProcDump Execution
Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms.
Sigma rule (View on GitHub)
1title: Renamed ProcDump Execution
2id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
3related:
4 - id: 03795938-1387-481b-9f4c-3f6241e604fe
5 type: obsolete
6status: test
7description: |
8 Detects the execution of a renamed ProcDump executable.
9 This often done by attackers or malware in order to evade defensive mechanisms.
10references:
11 - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
12author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
13date: 2019-11-18
14modified: 2024-06-25
15tags:
16 - attack.defense-evasion
17 - attack.t1036.003
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection_ofn:
23 OriginalFileName: 'procdump'
24 selection_cli_dump_flag:
25 CommandLine|contains|windash:
26 - ' -ma ' # Full Dump
27 - ' -mp ' # Mini Plus
28 selection_cli_eula_flag:
29 # Note: Even though the "accepteula" flag isn't required. We add it to avoid collision with similar utilities.
30 CommandLine|contains|windash: ' /accepteula'
31 filter_main_known_names:
32 Image|endswith:
33 - '\procdump.exe'
34 - '\procdump64.exe'
35 condition: (selection_ofn or all of selection_cli_*) and not 1 of filter_main_*
36falsepositives:
37 - Procdump illegally bundled with legitimate software.
38 - Administrators who rename binaries (should be investigated).
39level: high
References
-
This command-line utility is aimed at capturing process dumps of otherwise difficult to isolate and reproduce CPU spikes.
Read More
Related rules
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File Download Via Bitsadmin To An Uncommon Target Folder
- File With Suspicious Extension Downloaded Via Bitsadmin
- LOL-Binary Copied From System Directory