LoFP LoFP / t1036

t1036

TitleTags
administrative activity
administrative activity (adjust code pages according to your organization's region)
administrator or it professional may execute this application for verifying files or debugging application.
administrators may allow creation of script or exe in the paths specified. filter as needed.
administrators who rename binaries (should be investigated).
another tool that uses command line flags similar to procdump
another tool that uses the command line switches of xordump
because the recycle bin is a hidden folder in modern versions of windows, it would be unusual for a process other than explorer.exe to write to it. incidents should be investigated as appropriate.
citrix
command lines that use the same flags
commandlines that contains scriptures such as arabic or hebrew might make use of this character
commandlines with legitimate cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
custom applications use renamed binaries adding slight change to binary name. typically this is easy to spot and add to whitelist
custom windows error reporting debugger or applications restarted by werfault after a crash.
depend on scripts and administrative tools used in the monitored environment (for example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
false positives are expected in cases in which procdump just gets copied to a different directory without any renaming
false positives depend on scripts and administrative tools used in the monitored environment
file names with legitimate cyrillic text. will likely require tuning (or not be usable) in countries where these alphabets are in use.
filenames that contains scriptures such as arabic or hebrew might make use of this character
google drive
installers and updaters may set currently in use files for rename or deletion after a reboot.
it is possible that other utilities or system processes may legitimately write to this folder. investigate and modify the search to include exceptions as appropriate.
legit application crash with rare werfault commandline value
legitimate powershell scripts
legitimate software that uses these patterns
legitimate use of procdump by a developer or administrator
legitimate use of the tool by administrators or users to update metadata of a binary
legitimate used of encrypted zip files
mistyped commands or legitimate binaries named to match the pattern
procdump illegally bundled with legitimate software.
psexec installed via windows store doesn't contain original filename field (false negative)
russian speaking people changing the codepage
some legitimate apps use this, but limited.
some security products seem to spawn these
some tuning is required for other general purpose directories of third party apps
system components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
system processes copied outside their default folders for testing purposes
third party software might bundle specific versions of system dlls.
third party software naming their software with the same names as the processes mentioned here
this is meant to run only on datasources using elastic agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives.
unknown flash download locations
unlikely
unlikely, because no one should dump an lsass process memory
when cmd.exe and xcopy.exe are called directly
when the command contains the keywords but not in the correct order