Detectionmediumtest
Process Memory Dump Via Dotnet-Dump
Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Mar 1453d8d3e1-ca33-4012-adf3-e05a4d652e34windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith: '\dotnet-dump.exe'
- OriginalFileName: 'dotnet-dump.dll'
selection_cli:
CommandLine|contains: 'collect'
condition: all of selection_*False Positives
Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
53d8d3e1-ca33-4012-adf3-e05a4d652e34
Status
test
Level
medium
Type
Detection
Created
Tue Mar 14
Path
rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml
Raw Tags
attack.defense-evasionattack.t1218