Adversaries may be leveraging the creation of suspicious DMP/HDMP files to exfiltrate data or persist within the system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data theft or persistence mechanisms that evade traditional detection methods.
Detection Rule
title: Potentially Suspicious DMP/HDMP File Creation
id: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c
related:
- id: 3a525307-d100-48ae-b3b9-0964699d7f97
type: similar
status: test
description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
references:
- https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-07
tags:
- attack.defense-evasion
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
TargetFilename|endswith:
- '.dmp'
- '.dump'
- '.hdmp'
condition: selection
falsepositives:
- Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_dump_file_susp_creation/info.yml
imFileEvent
| where (TargetFilePath endswith "\\cmd.exe" or TargetFilePath endswith "\\cscript.exe" or TargetFilePath endswith "\\mshta.exe" or TargetFilePath endswith "\\powershell.exe" or TargetFilePath endswith "\\pwsh.exe" or TargetFilePath endswith "\\wscript.exe") and (TargetFileName endswith ".dmp" or TargetFileName endswith ".dump" or TargetFileName endswith ".hdmp")Scenario: A system administrator is using Group Policy Management Console (GPMC) to deploy a new configuration file.
Filter/Exclusion: Check for the presence of gpmc.msc or gpresult.exe in the process tree, or filter by the user account used for administrative tasks (e.g., Administrator or Domain Admins).
Scenario: A Windows Update or Microsoft Endpoint Manager (MEM) task is creating a temporary DMP file during a system scan or patch deployment.
Filter/Exclusion: Filter by process name svchost.exe or wuauserv.exe, or check for the presence of Microsoft Endpoint Manager or Windows Update in the process command line.
Scenario: A scheduled backup job (e.g., using Veeam, Commvault, or VSS writer) is generating a DMP file as part of a crash dump collection for debugging.
Filter/Exclusion: Filter by process names like VeeamBackup.exe, Commvault.exe, or vssadmin.exe, or check for the presence of backup-related services in the process tree.
Scenario: A third-party application (e.g., Microsoft SQL Server, Exchange, or SharePoint) is creating a DMP file as part of its diagnostic or logging process.
Filter/Exclusion: Filter by the application’s process name (e.g., sqlservr.exe, exchsrvr.exe, or spoolsv.exe), or check for known diagnostic file creation patterns in the application’s logs.
Scenario: A system diagnostic tool (e.g., Windows Memory Diagnostic, Process Monitor, or ProcDump) is generating a DMP file for analysis.
Filter/Exclusion: Check for the presence of