Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Renamed ProcDump Execution

Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Mon Nov 18Updated Tue Jun 254a0b2c7e-7cb2-495d-8b63-5f268e7bfd67windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic4 selectors
detection:
    selection_ofn:
        OriginalFileName: 'procdump'
    selection_cli_dump_flag:
        CommandLine|contains|windash:
            - ' -ma ' # Full Dump
            - ' -mp ' # Mini Plus
    selection_cli_eula_flag:
        # Note: Even though the "accepteula" flag isn't required. We add it to avoid collision with similar utilities.
        CommandLine|contains|windash: ' /accepteula'
    filter_main_known_names:
        Image|endswith:
            - '\procdump.exe'
            - '\procdump64.exe'
    condition: (selection_ofn or all of selection_cli_*) and not 1 of filter_main_*
False Positives

Procdump illegally bundled with legitimate software.

Administrators who rename binaries (should be investigated).

References
1
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Related Rules
Similar

03795938-1387-481b-9f4c-3f6241e604fe

Rule not found
Rule Metadata
Rule ID
4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
Status
test
Level
high
Type
Detection
Created
Mon Nov 18
Modified
Tue Jun 25
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml
Raw Tags
attack.defense-evasionattack.t1036.003
View on GitHub