DumpMinitool Execution

    Tuesday, April 29, 2025 In: Threat Research Print

    Date: 04/29/2025

    Severity: Medium

    Summary

    Detects the execution of "DumpMinitool.exe," a utility used to capture process memory dumps through the "MiniDumpWriteDump" function.

    Indicators of Compromise (IOC) List

    Image : 

    - '\DumpMinitool.exe'

    - '\DumpMinitool.x86.exe'

    - '\DumpMinitool.arm64.exe'

    OriginalFileName : 

    - 'DumpMinitool.exe'

    - 'DumpMinitool.x86.exe'

    - 'DumpMinitool.arm64.exe'

    CommandLine : 

    - ' Full'

    - ' Mini'

    - ' WithHeap'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query : 

    ((resourcename = "Windows Security"  AND eventtype = "4688"  ) AND processname IN ("DumpMinitool.exe","DumpMinitool.x86.exe","DumpMinitool.arm64.exe" ) ) AND commandline IN  ("Full", "Mini", "WithHeap")  

    Detection Query :

    (( technologygroup = "EDR" ) AND processname IN ("DumpMinitool.exe","DumpMinitool.x86.exe","DumpMinitool.arm64.exe" ) ) AND commandline IN  ("Full", "Mini", "WithHeap")  

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml


    Tags

    SigmaThreat ActorDumpMinitool

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.