Potentially Suspicious DMP/HDMP File Creation

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `selection`

or:
Image|endswith: '\cmd.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\wscript.exe'
or:
TargetFilename|endswith: .dmp
TargetFilename|endswith: .dump
TargetFilename|endswith: .hdmp

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\cmd.exe` corpus 92 (sigma 92) `\cscript.exe` corpus 64 (sigma 64) `\mshta.exe` corpus 57 (sigma 57) `\powershell.exe` corpus 143 (sigma 143) `\pwsh.exe` corpus 140 (sigma 140) `\wscript.exe` corpus 64 (sigma 64)
`TargetFilename`	ends_with	`.dmp` corpus 3 (sigma 3) `.dump` `.hdmp`

Potentially Suspicious DMP/HDMP File Creation

Event coverage

Stages and Predicates

Stage 1: selection

Indicators

Stage 1: `selection`