Detectionmediumtest
Potentially Suspicious DMP/HDMP File Creation
Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Sep 07aba15bdd-657f-422a-bab3-ac2d2a0d6f1cwindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
TargetFilename|endswith:
- '.dmp'
- '.dump'
- '.hdmp'
condition: selectionFalse Positives
Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
References
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
aba15bdd-657f-422a-bab3-ac2d2a0d6f1c
Status
test
Level
medium
Type
Detection
Created
Thu Sep 07
Path
rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml
Raw Tags
attack.defense-evasion