Threat Huntlowtest
DMP/HDMP File Creation
Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Sep 073a525307-d100-48ae-b3b9-0964699d7f97windows
Hunting Hypothesis
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetFilename|endswith:
- '.dmp'
- '.dump'
- '.hdmp'
condition: selectionFalse Positives
Likely during crashes of software
References
MITRE ATT&CK
Tactics
Other
detection.threat-hunting
Rule Metadata
Rule ID
3a525307-d100-48ae-b3b9-0964699d7f97
Status
test
Level
low
Type
Threat Hunt
Created
Thu Sep 07
Path
rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml
Raw Tags
attack.defense-evasiondetection.threat-hunting