Renamed ProcDump Execution

Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms.

Sigma rule (View on GitHub)

 1title: Renamed ProcDump Execution
 2id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
 3related:
 4    - id: 03795938-1387-481b-9f4c-3f6241e604fe
 5      type: obsoletes
 6status: test
 7description: |
 8    Detects the execution of a renamed ProcDump executable.
 9    This often done by attackers or malware in order to evade defensive mechanisms.    
10references:
11    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
12author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
13date: 2019/11/18
14modified: 2024/06/25
15tags:
16    - attack.defense_evasion
17    - attack.t1036.003
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_ofn:
23        OriginalFileName: 'procdump'
24    selection_cli_dump_flag:
25        CommandLine|contains|windash:
26            - ' -ma ' # Full Dump
27            - ' -mp ' # Mini Plus
28    selection_cli_eula_flag:
29        # Note: Even though the "accepteula" flag isn't required. We add it to avoid collision with similar utilities.
30        CommandLine|contains|windash: ' /accepteula'
31    filter_main_known_names:
32        Image|endswith:
33            - '\procdump.exe'
34            - '\procdump64.exe'
35    condition: (selection_ofn or all of selection_cli_*) and not 1 of filter_main_*
36falsepositives:
37    - Procdump illegally bundled with legitimate software.
38    - Administrators who rename binaries (should be investigated).
39level: high

References

Related rules

to-top