2022-04-06 14:01:14 +02:00
|
|
|
title: DumpMinitool Usage
|
|
|
|
|
id: dee0a7a3-f200-4112-a99b-952196d81e42
|
|
|
|
|
status: experimental
|
2023-03-06 00:39:26 +01:00
|
|
|
description: Detects the use of "DumpMinitool.exe" a tool bundled with Visual Studio and DotNTET
|
2022-04-06 14:01:14 +02:00
|
|
|
references:
|
2023-03-03 00:21:25 +01:00
|
|
|
- https://twitter.com/mrd0x/status/1511415432888131586
|
2022-04-06 14:01:14 +02:00
|
|
|
- https://twitter.com/mrd0x/status/1511489821247684615
|
2023-02-01 11:14:59 +01:00
|
|
|
author: Florian Roth (Nextron Systems)
|
2022-04-06 14:01:14 +02:00
|
|
|
date: 2022/04/06
|
2022-11-18 11:15:50 +01:00
|
|
|
modified: 2022/11/18
|
2022-04-06 14:01:14 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.defense_evasion
|
|
|
|
|
- attack.t1036
|
|
|
|
|
- attack.t1003.001
|
|
|
|
|
logsource:
|
|
|
|
|
category: process_creation
|
|
|
|
|
product: windows
|
|
|
|
|
detection:
|
2022-11-18 11:15:50 +01:00
|
|
|
selection_img:
|
|
|
|
|
- Image|endswith: '\DumpMinitool.exe'
|
|
|
|
|
- OriginalFileName: 'DumpMinitool.exe'
|
|
|
|
|
selection_cli:
|
2022-04-06 14:01:14 +02:00
|
|
|
CommandLine|contains|all:
|
|
|
|
|
- ' --processId '
|
|
|
|
|
- ' --dumpType Full'
|
2022-11-18 11:15:50 +01:00
|
|
|
condition: 1 of selection_*
|
2022-04-06 14:01:14 +02:00
|
|
|
falsepositives:
|
|
|
|
|
- Unknown
|
|
|
|
|
level: medium
|
