Potential SysInternals ProcDump Evasion

calendar Apr 25, 2025 · attack.defense-evasion attack.t1036 attack.t1003.001 attack.credential-access  ·
Share on: linkedin copy

Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name

Sigma rule (View on GitHub)

 1title: Potential SysInternals ProcDump Evasion
 2id: 79b06761-465f-4f88-9ef2-150e24d3d737
 3status: test
 4description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
 5references:
 6    - https://twitter.com/mrd0x/status/1480785527901204481
 7author: Florian Roth (Nextron Systems)
 8date: 2022-01-11
 9modified: 2023-05-09
10tags:
11    - attack.defense-evasion
12    - attack.t1036
13    - attack.t1003.001
14    - attack.credential-access
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_1:
20        CommandLine|contains:
21            - 'copy procdump'
22            - 'move procdump'
23    selection_2:
24        CommandLine|contains|all:
25            - 'copy '
26            - '.dmp '
27        CommandLine|contains:
28            - '2.dmp'
29            - 'lsass'
30            - 'out.dmp'
31    selection_3:
32        CommandLine|contains:
33            - 'copy lsass.exe_'  # procdump default pattern e.g. lsass.exe_220111_085234.dmp
34            - 'move lsass.exe_'  # procdump default pattern e.g. lsass.exe_220111_085234.dmp
35    condition: 1 of selection_*
36falsepositives:
37    - False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming
38level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

Related rules

to-top