HackTool - CreateMiniDump Execution

    Tuesday, November 26, 2024 In: Threat Research Print

    Date: 11/26/2024

    Severity: High

    Summary

    Detects the use of the CreateMiniDump tool, commonly used to dump the LSASS process memory for credential extraction on an attacker’s machine.

    Indicators of Compromise (IOC) List 

    Image : 

    '\CreateMiniDump.exe'

    Hashes : 

    'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1: 

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND (processname like "CreateMiniDump.exe" OR newprocessname like "CreateMiniDump.exe" ) 

    Detection Query 2:

    (technologygroup = "EDR" ) AND (processname like "CreateMiniDump.exe" OR newprocessname like "CreateMiniDump.exe" ) 

    Detection Query 3:

    md5hash IN ("4a07f944a83e8a7c2525efa35dd30e2f")


    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml  

     

     


    Tags

    MalwareSigmaHackToolCreateMiniDump

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.