← Back to Explore
sigmamediumHunting
Process Memory Dump Via Dotnet-Dump
Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
Detection Query
selection_img:
- Image|endswith: \dotnet-dump.exe
- OriginalFileName: dotnet-dump.dll
selection_cli:
CommandLine|contains: collect
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-03-14
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218
Raw Content
title: Process Memory Dump Via Dotnet-Dump
id: 53d8d3e1-ca33-4012-adf3-e05a4d652e34
status: test
description: |
Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
references:
- https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect
- https://twitter.com/bohops/status/1635288066909966338
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dotnet-dump.exe'
- OriginalFileName: 'dotnet-dump.dll'
selection_cli:
CommandLine|contains: 'collect'
condition: all of selection_*
falsepositives:
- Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated
level: medium