false positives may be present if an application is dumping processes, filter as needed. recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what.

Techniques

T1003.001

Sample rules

Windows Credential Dumping LSASS Memory Createdump

source: splunk
technicques:
- T1003.001

Description

The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=createdump.exe OR Processes.original_file_name="FX_VER_INTERNALNAME_STR" Processes.process="*-u *" AND Processes.process="*-f *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_credential_dumping_lsass_memory_createdump_filter`