LoFP LoFP / t1036

t1036

TitleTags
a certain amount of false positives are likely with this detection. msi based installers often trigger for setupapl.dll and vendors will often copy system exectables to a different path for application usage.
administrative activity
administrative activity (adjust code pages according to your organization's region)
administrator or it professional may execute this application for verifying files or debugging application.
administrators may allow creation of script or exe in the paths specified. filter as needed.
administrators who rename binaries (should be investigated).
although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive.
although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive.
although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.
another tool that uses command line flags similar to procdump
another tool that uses the command line switches of xordump
because the recycle bin is a hidden folder in modern versions of windows, it would be unusual for a process other than explorer.exe to write to it. incidents should be investigated as appropriate.
citrix
command lines that use the same flags
commandlines that contains scriptures such as arabic or hebrew might make use of this character
commandlines with legitimate cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
custom applications use renamed binaries adding slight change to binary name. typically this is easy to spot and add to whitelist
custom windows error reporting debugger or applications restarted by werfault after a crash.
depend on scripts and administrative tools used in the monitored environment (for example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
every user may do this event but very un-ussual.
false positives are expected in cases in which procdump just gets copied to a different directory without any renaming
false positives depend on scripts and administrative tools used in the monitored environment
false positives may be present and filtering may be required. certain utilities will run from non-standard paths based on the third-party application in use.
file names with legitimate cyrillic text. will likely require tuning (or not be usable) in countries where these alphabets are in use.
filenames that contains scriptures such as arabic or hebrew might make use of this character
google drive
implementation in regions that use right to left in native language.
installers and updaters may set currently in use files for rename or deletion after a reboot.
it is possible that other utilities or system processes may legitimately write to this folder. investigate and modify the search to include exceptions as appropriate.
legit application crash with rare werfault commandline value
legitimate powershell scripts
legitimate software that uses these patterns
legitimate use of procdump by a developer or administrator
legitimate use of the tool by administrators or users to update metadata of a binary
legitimate used of encrypted zip files
mistyped commands or legitimate binaries named to match the pattern
procdump illegally bundled with legitimate software.
psexec installed via windows store doesn't contain original filename field (false negative)
russian speaking people changing the codepage
some administrator activity can be potentially triggered, please add those users to the filter macro.
some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. baselining of msbuild.exe usage is recommended to better understand it's path usage. visual studio runs an instance out of a path that will need to be filtered on.
some legitimate apps use this, but limited.
some security products seem to spawn these
some tuning is required for other general purpose directories of third party apps
system components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
system processes copied outside their default folders for testing purposes
the build engine is commonly used by windows developers but use by non-engineers is unusual.
third party software might bundle specific versions of system dlls.
third party software naming their software with the same names as the processes mentioned here
this detection may require tuning based on third party applications utilizing native windows binaries in non-standard paths.
this is meant to run only on datasources using elastic agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives.
unknown flash download locations
unlikely
unlikely, because no one should dump an lsass process memory
vendors will often copy system exectables to a different path for application usage.
when cmd.exe and xcopy.exe are called directly
when the command contains the keywords but not in the correct order