← Back to Explore
sigmahighHunting
CreateDump Process Dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
Detection Query
selection_img:
- Image|endswith: \createdump.exe
- OriginalFileName: FX_VER_INTERNALNAME_STR
selection_cli:
CommandLine|contains:
- " -u "
- " --full "
- " -f "
- " --name "
- ".dmp "
condition: all of selection_*
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Created
2022-01-04
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1036attack.t1003.001attack.credential-access
Raw Content
title: CreateDump Process Dump
id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
related:
- id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
type: similar
status: test
description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-04
modified: 2022-08-19
tags:
- attack.defense-evasion
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\createdump.exe'
- OriginalFileName: 'FX_VER_INTERNALNAME_STR'
selection_cli:
CommandLine|contains:
- ' -u ' # Short version of '--full'
- ' --full '
- ' -f ' # Short version of '--name'
- ' --name '
- '.dmp '
condition: all of selection_*
falsepositives:
- Command lines that use the same flags
level: high