Techniques
Sample rules
Process Memory Dump Via Dotnet-Dump
- source: sigma
- technicques:
- t1218
Description
Detects the execution of “dotnet-dump” with the “collect” flag. The execution could indicate potential process dumping of critical processes such as LSASS.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: collect
selection_img:
- Image|endswith: \dotnet-dump.exe
- OriginalFileName: dotnet-dump.dll