SigmaHQ/rules/windows/process_creation/win_susp_procdump.yml

title: Suspicious Use of Procdump
description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This
    way we're also able to catch cases in which the attacker has renamed the procdump executable.
status: experimental
references:
    - Internal Research
author: Florian Roth
date: 2018/10/30
modified: 2019/10/14
tags:
    - attack.defense_evasion
    - attack.t1036
    - attack.credential_access
    - attack.t1003
    - car.2013-05-009
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine:
            - '* -ma *'
    selection2:
        CommandLine:
            - '* lsass*'
    selection3:
        CommandLine:
            - '* -ma ls*'
    condition: ( selection1 and selection2 ) or selection3
falsepositives:
    - Unlikely, because no one should dump an lsass process memory
    - Another tool that uses the command line switches of Procdump
level: medium
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`title: Suspicious Use of Procdump`
			`description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`way we're also able to catch cases in which the attacker has renamed the procdump executable.`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`status: experimental`
			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- Internal Research`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`author: Florian Roth`
			`date: 2018/10/30`
rule: extended suspicious procdump rule 2019-10-14 14:21:37 +00:00			`modified: 2019/10/14`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`tags:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- attack.defense_evasion`
			`- attack.t1036`
			`- attack.credential_access`
			`- attack.t1003`
First Pass 2019-06-14 04:15:38 +00:00			`- car.2013-05-009`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection1:`
			`CommandLine:`
			`- '* -ma *'`
			`selection2:`
			`CommandLine:`
remove .exe from lsass 2019-10-14 15:26:33 +00:00			`- '* lsass*'`
rule: extended suspicious procdump rule 2019-10-14 14:21:37 +00:00			`selection3:`
			`CommandLine:`
			`- '* -ma ls*'`
			`condition: ( selection1 and selection2 ) or selection3`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- Unlikely, because no one should dump an lsass process memory`
			`- Another tool that uses the command line switches of Procdump`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`level: medium`