cscli scenarios install sigmahq/proc_creation_win_sysinternals_procdump_evasion1type: trigger2name: sigmahq/proc_creation_win_sysinternals_procdump_evasion3description: |4 Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.CommandLine contains 'copy procdump' || evt.Parsed.CommandLine contains 'move procdump' || evt.Parsed.CommandLine contains 'copy ' && evt.Parsed.CommandLine contains '.dmp ' && (evt.Parsed.CommandLine contains '2.dmp' || evt.Parsed.CommandLine contains 'lsass' || evt.Parsed.CommandLine contains 'out.dmp') || evt.Parsed.CommandLine contains 'copy lsass.exe_' || evt.Parsed.CommandLine contains 'move lsass.exe_')7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t103615 - attack.t1003.0011617 label: "Potential SysInternals ProcDump Evasion"18 behavior : "windows:audit"19 remediation: false2021scope:22 type: ParentProcessId23 expression: evt.Parsed.ParentProcessId2425