Potential SysInternals ProcDump Evasion

 1title: Potential SysInternals ProcDump Evasion
 2id: 79b06761-465f-4f88-9ef2-150e24d3d737
 3status: test
 4description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
 5references:
 6    - https://twitter.com/mrd0x/status/1480785527901204481
 7author: Florian Roth (Nextron Systems)
 8date: 2022-01-11
 9modified: 2023-05-09
10tags:
11    - attack.defense-evasion
12    - attack.t1036
13    - attack.t1003.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_1:
19        CommandLine|contains:
20            - 'copy procdump'
21            - 'move procdump'
22    selection_2:
23        CommandLine|contains|all:
24            - 'copy '
25            - '.dmp '
26        CommandLine|contains:
27            - '2.dmp'
28            - 'lsass'
29            - 'out.dmp'
30    selection_3:
31        CommandLine|contains:
32            - 'copy lsass.exe_'  # procdump default pattern e.g. lsass.exe_220111_085234.dmp
33            - 'move lsass.exe_'  # procdump default pattern e.g. lsass.exe_220111_085234.dmp
34    condition: 1 of selection_*
35falsepositives:
36    - False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming
37level: high