Techniques
Sample rules
Renamed CreateDump Utility Execution
- source: sigma
- technicques:
- t1003
- t1003.001
- t1036
Description
Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
Detection logic
condition: 1 of selection_* and not filter
filter:
Image|endswith: \createdump.exe
selection_cli:
- CommandLine|contains|all:
- ' -u '
- ' -f '
- .dmp
- CommandLine|contains|all:
- ' --full '
- ' --name '
- .dmp
selection_pe:
OriginalFileName: FX_VER_INTERNALNAME_STR
CreateDump Process Dump
- source: sigma
- technicques:
- t1003
- t1003.001
- t1036
Description
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ' -u '
- ' --full '
- ' -f '
- ' --name '
- '.dmp '
selection_img:
- Image|endswith: \createdump.exe
- OriginalFileName: FX_VER_INTERNALNAME_STR