LoFP / legitimate disabling of crashdumps

Techniques

• t1112
• t1564

Sample rules

CrashControl CrashDump Disabled

• source: sigma
• technicques:
  • t1112
  • t1564

Description

Detects disabling the CrashDump per registry (as used by HermeticWiper)

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000000)
  TargetObject|contains: SYSTEM\CurrentControlSet\Control\CrashControl