Techniques
Sample rules
Renamed ProcDump Execution
- source: sigma
- technicques:
- t1036
- t1036.003
Description
Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms.
Detection logic
condition: (selection_ofn or all of selection_cli_*) and not 1 of filter_main_*
filter_main_known_names:
Image|endswith:
- \procdump.exe
- \procdump64.exe
selection_cli_dump_flag:
CommandLine|contains|windash:
- ' -ma '
- ' -mp '
selection_cli_eula_flag:
CommandLine|contains|windash: ' /accepteula'
selection_ofn:
OriginalFileName: procdump