Adversaries may disable crash dumps to prevent malware from generating diagnostic data that could expose their presence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware activity that is actively suppressing forensic evidence.
KQL Query
imRegistry
| where RegistryKey == "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\CrashControl"
| where RegistryValue == "CrashDumpEnabled"
| where RegistryValueData == 0
| project-reorder TimeGenerated, RegistryKey, RegistryValue, RegistryValueData, Process, User, ParentProcessName
id: 6cb193f3-7c6d-4b53-9153-49a09be830d7
name: Crash dump disabled on host (ASIM Version)
description: |
'This detection looks the prevention of crash dumps being created. This can be used to limit reporting by malware, look for suspicious processes setting this registry key.'
requiredDataConnectors: []
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
imRegistry
| where RegistryKey == "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\CrashControl"
| where RegistryValue == "CrashDumpEnabled"
| where RegistryValueData == 0
| project-reorder TimeGenerated, RegistryKey, RegistryValue, RegistryValueData, Process, User, ParentProcessName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: User
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DvcHostname
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Pete Bryan
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |
Scenario: System Maintenance Task Scheduled by Windows Task Scheduler
Description: A legitimate system maintenance task, such as a scheduled disk cleanup or system scan, may modify the registry key to disable crash dumps temporarily.
Filter/Exclusion: Exclude processes associated with Task Scheduler (e.g., schtasks.exe) or check for the presence of a scheduled task with a known maintenance purpose.
Scenario: Windows Update or Patching Process
Description: During a Windows update or patching operation, the system may temporarily disable crash dumps to prevent interference with the update process.
Filter/Exclusion: Exclude processes related to Windows Update (e.g., wusa.exe, setup.exe) or check for the presence of an active Windows update session.
Scenario: Security Software Configuration (e.g., Windows Defender, ESET, Bitdefender)
Description: Some security tools may disable crash dumps as part of their configuration to prevent malware from generating dumps or to enhance system performance.
Filter/Exclusion: Exclude processes associated with known security software (e.g., MsMpEng.exe, esetmfe.exe, bdagent.exe) or check for the presence of a security tool’s configuration file.
Scenario: System Restore or System Image Backup
Description: During a system restore or backup operation, the system may modify registry settings, including crash dump configurations, to ensure consistency.
Filter/Exclusion: Exclude processes related to System Restore (e.g., sr.msc, rstrui.exe) or check for the presence of a system restore point or backup operation.
Scenario: Manual Registry Edit by an Administrator
Description: An administrator may manually edit the registry to disable crash dumps for troubleshooting or performance tuning purposes.
Filter/Exclusion: Exclude processes with elevated privileges (