Renamed ProcDump Execution
Detects the execution of a renamed ProcDump executable often used by attackers or malware
Sigma rule (View on GitHub)
1title: Renamed ProcDump Execution
2id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
3related:
4 - id: 03795938-1387-481b-9f4c-3f6241e604fe
5 type: obsoletes
6status: test
7description: Detects the execution of a renamed ProcDump executable often used by attackers or malware
8references:
9 - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
10author: Florian Roth (Nextron Systems)
11date: 2019/11/18
12modified: 2022/12/08
13tags:
14 - attack.defense_evasion
15 - attack.t1036.003
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection_org:
21 OriginalFileName: 'procdump'
22 selection_args_ma:
23 CommandLine|contains:
24 - ' -ma '
25 - ' /ma '
26 selection_args_other:
27 CommandLine|contains:
28 - ' -accepteula '
29 - ' /accepteula '
30 filter:
31 Image|endswith:
32 - '\procdump.exe'
33 - '\procdump64.exe'
34 condition: (selection_org or all of selection_args_*) and not filter
35falsepositives:
36 - Procdump illegaly bundled with legitimate software
37 - Administrators who rename binaries (should be investigated)
38level: high
References
Related rules
- File Download Via Bitsadmin
- Renamed Jusched.EXE Execution
- Renamed Autohotkey Binary
- Suspicious Start-Process PassThru
- Suspicious Use of Rcedit Utility to Alter Executable Metadata