LoFP / false positives are expected in cases in which procdump just gets copied to a different directory without any renaming

Techniques

Sample rules

Potential SysInternals ProcDump Evasion

source: sigma
technicques:
- t1003
- t1003.001
- t1036

Description

Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name

Detection logic

condition: 1 of selection_*
selection_1:
  CommandLine|contains:
  - copy procdump
  - move procdump
selection_2:
  CommandLine|contains:
  - 2.dmp
  - lsass
  - out.dmp
  CommandLine|contains|all:
  - 'copy '
  - '.dmp '
selection_3:
  CommandLine|contains:
  - copy lsass.exe_
  - move lsass.exe_