← Back to Explore
sigmahighHunting
Renamed CreateDump Utility Execution
Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
Detection Query
selection_pe:
OriginalFileName: FX_VER_INTERNALNAME_STR
selection_cli:
- CommandLine|contains|all:
- " -u "
- " -f "
- .dmp
- CommandLine|contains|all:
- " --full "
- " --name "
- .dmp
filter:
Image|endswith: \createdump.exe
condition: 1 of selection_* and not filter
Author
Florian Roth (Nextron Systems)
Created
2022-09-20
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1036attack.t1003.001attack.credential-access
Raw Content
title: Renamed CreateDump Utility Execution
id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
related:
- id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
type: similar
status: test
description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems)
date: 2022-09-20
modified: 2023-02-14
tags:
- attack.defense-evasion
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_pe:
OriginalFileName: 'FX_VER_INTERNALNAME_STR'
selection_cli:
- CommandLine|contains|all:
- ' -u ' # Short version of '--full'
- ' -f ' # Short version of '--name'
- '.dmp'
- CommandLine|contains|all:
- ' --full ' # Short version of '--full'
- ' --name ' # Short version of '--name'
- '.dmp'
filter:
Image|endswith: '\createdump.exe'
condition: 1 of selection_* and not filter
falsepositives:
- Command lines that use the same flags
level: high