title: Suspicious Use of Procdump
author: Florian Roth
date: 2021/02/02
description: Detects suspicious uses of the SysInternals Procdump utility by using
  a special command line parameter ' -ma ' and ' -accepteula' in a single step. This
  way we're also able to catch cases in which the attacker has renamed the procdump
  executable.
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine: '* -ma *'
  SELECTION_3:
    CommandLine: '* -accepteula *'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Another tool that uses the command line switches of Procdump
- Legitimate use of procdump by a developer or administrator
id: 03795938-1387-481b-9f4c-3f6241e604fe
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/08/16
references:
- Internal Research
status: experimental
tags:
- attack.defense_evasion
- attack.t1036
- attack.t1003.001
ruletype: SIGMA