LoFP / legitimate use of procdump by a developer or administrator

Techniques

• t1003
• t1003.001
• t1036

Sample rules

Procdump Execution

• source: sigma
• technicques:
  • t1003
  • t1003.001
  • t1036

Description

Detects usage of the SysInternals Procdump utility

Detection logic

condition: selection
selection:
  Image|endswith:
  - \procdump.exe
  - \procdump64.exe