Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Renamed CreateDump Utility Execution

Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Tue Sep 20Updated Tue Feb 141a1ed54a-2ba4-4221-94d5-01dee560d71ewindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_pe:
        OriginalFileName: 'FX_VER_INTERNALNAME_STR'
    selection_cli:
        - CommandLine|contains|all:
              - ' -u ' # Short version of '--full'
              - ' -f ' # Short version of '--name'
              - '.dmp'
        - CommandLine|contains|all:
              - ' --full ' # Short version of '--full'
              - ' --name ' # Short version of '--name'
              - '.dmp'
    filter:
        Image|endswith: '\createdump.exe'
    condition: 1 of selection_* and not filter
False Positives

Command lines that use the same flags

References
1
Resolving title…
crowdstrike.com
2
Resolving title…
twitter.com
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

CreateDump Process Dump

Detects uses of the createdump.exe LOLOBIN utility to dump process memory

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
1a1ed54a-2ba4-4221-94d5-01dee560d71e
Status
test
Level
high
Type
Detection
Created
Tue Sep 20
Modified
Tue Feb 14
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_renamed_createdump.yml
Raw Tags
attack.defense-evasionattack.t1036attack.t1003.001attack.credential-access
View on GitHub