LOLBAS/yml/OtherMSBinaries/Procdump.yml

---
Name: Procdump.exe
Description: SysInternals Memory Dump Tool
Aliases:
  - Alias: Procdump64.exe
Author: 'Alfie Champion (@ajpc500)'
Created: 2020-10-14
Commands:
  - Command: procdump.exe -md calc.dll explorer.exe
    Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.
    Usecase: Performs execution of unsigned DLL.
    Category: Execute
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher
    Tags:
      - Execute: DLL
  - Command: procdump.exe -md calc.dll foobar
    Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
    Usecase: Performs execution of unsigned DLL.
    Category: Execute
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher
    Tags:
      - Execute: DLL
Full_Path:
  - Path: no default
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml
  - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
  - IOC: Process creation with given '-md' parameter
  - IOC: Anomalous child processes of procdump
  - IOC: Unsigned DLL load via procdump.exe or procdump64.exe
Resources:
  - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20
Acknowledgement:
  - Person: Alfie Champion
    Handle: '@ajpc500'
Adding more missed-out entries 2021-12-15 12:46:04 +01:00			`---`
Prep for new yamllint 2022-09-16 13:29:26 +02:00			`Name: Procdump.exe`
Adding more missed-out entries 2021-12-15 12:46:04 +01:00			`Description: SysInternals Memory Dump Tool`
Prep for new yamllint 2022-09-16 13:29:26 +02:00			`Aliases:`
			`- Alias: Procdump64.exe`
Adding more missed-out entries 2021-12-15 12:46:04 +01:00			`Author: 'Alfie Champion (@ajpc500)'`
			`Created: 2020-10-14`
			`Commands:`
			`- Command: procdump.exe -md calc.dll explorer.exe`
			`Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.`
			`Usecase: Performs execution of unsigned DLL.`
			`Category: Execute`
			`Privileges: User`
			`MitreID: T1202`
Adding tags (closes #9, #318) (#362) * Adding various tags as a first iteration * Adding quotes * Adding 'Custom Format' properly * Updating to key:value pairs * Update template 2024-04-03 17:53:36 +02:00			`OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher`
			`Tags:`
			`- Execute: DLL`
Adding more missed-out entries 2021-12-15 12:46:04 +01:00			`- Command: procdump.exe -md calc.dll foobar`
			`Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.`
			`Usecase: Performs execution of unsigned DLL.`
			`Category: Execute`
			`Privileges: User`
			`MitreID: T1202`
Adding tags (closes #9, #318) (#362) * Adding various tags as a first iteration * Adding quotes * Adding 'Custom Format' properly * Updating to key:value pairs * Update template 2024-04-03 17:53:36 +02:00			`OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher`
			`Tags:`
			`- Execute: DLL`
Prep for new yamllint 2022-09-16 13:29:26 +02:00			`Full_Path:`
			`- Path: no default`
Adding more missed-out entries 2021-12-15 12:46:04 +01:00			`Detection:`
$frack113$ Update SigmaHQ ref (#301) Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> 2023-06-19 23:40:24 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml`
$frack113$ Update old sigma link (#303) * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> 2023-10-18 17:30:34 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml`
Adding more missed-out entries 2021-12-15 12:46:04 +01:00			`- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml`
			`- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml`
			`- IOC: Process creation with given '-md' parameter`
			`- IOC: Anomalous child processes of procdump`
			`- IOC: Unsigned DLL load via procdump.exe or procdump64.exe`
			`Resources:`
			`- Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20`
			`Acknowledgement:`
Prep for new yamllint 2022-09-16 13:29:26 +02:00			`- Person: Alfie Champion`
Adding more missed-out entries 2021-12-15 12:46:04 +01:00			`Handle: '@ajpc500'`