Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential SysInternals ProcDump Evasion

Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Tue Jan 11Updated Tue May 0979b06761-465f-4f88-9ef2-150e24d3d737windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_1:
        CommandLine|contains:
            - 'copy procdump'
            - 'move procdump'
    selection_2:
        CommandLine|contains|all:
            - 'copy '
            - '.dmp '
        CommandLine|contains:
            - '2.dmp'
            - 'lsass'
            - 'out.dmp'
    selection_3:
        CommandLine|contains:
            - 'copy lsass.exe_'  # procdump default pattern e.g. lsass.exe_220111_085234.dmp
            - 'move lsass.exe_'  # procdump default pattern e.g. lsass.exe_220111_085234.dmp
    condition: 1 of selection_*
False Positives

False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming

References
1
Resolving title…
twitter.com
MITRE ATT&CK
Rule Metadata
Rule ID
79b06761-465f-4f88-9ef2-150e24d3d737
Status
test
Level
high
Type
Detection
Created
Tue Jan 11
Modified
Tue May 09
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml
Raw Tags
attack.defense-evasionattack.t1036attack.t1003.001attack.credential-access
View on GitHub