Techniques
Sample rules
Renamed ProcDump Execution
- source: sigma
- technicques:
- t1036
- t1036.003
Description
Detects the execution of a renamed ProcDump executable often used by attackers or malware
Detection logic
condition: (selection_org or all of selection_args_*) and not filter
filter:
Image|endswith:
- \procdump.exe
- \procdump64.exe
selection_args_ma:
CommandLine|contains:
- ' -ma '
- ' /ma '
selection_args_other:
CommandLine|contains:
- ' -accepteula '
- ' /accepteula '
selection_org:
OriginalFileName: procdump