Detectionhightest
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Sep 27Updated Tue Sep 12044ba588-dff4-4918-9808-3f95e8160606windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
# Example: copy \\<host>\\<folder>\\process.dmp C:\Users\process.dmp
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
CommandLine|contains|all:
- 'copy '
- ' \\\\'
CommandLine|contains:
- '.dmp'
- '.dump'
- '.hdmp'
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
044ba588-dff4-4918-9808-3f95e8160606
Status
test
Level
high
Type
Detection
Created
Tue Sep 27
Modified
Tue Sep 12
Path
rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml
Raw Tags
attack.credential-access