heroui logo

Procdump Execution

Sigma Rules

View Source
Summary
The rule detects the execution of the SysInternals Procdump utility, which is commonly used for process memory dumping. This tool can be utilized both for legitimate debugging purposes by developers and administrators, but it is also frequently employed by attackers for malicious activities such as exfiltrating sensitive information from running memory processes. The detection rule triggers when the process creation event logs show any instance of 'procdump.exe' or 'procdump64.exe', indicating potential misuse. Misuse could involve attackers using this tool to harvest passwords or other sensitive data from memory, thus raising concerns around defense evasion tactics used in attack frameworks.
Categories
  • Windows
  • Endpoint
  • Application
Data Sources
  • Process
  • Application Log
Created: 2021-08-16