Dump64.exe

Memory dump tool that comes with Microsoft Visual Studio

Paths

• C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe

Commands

Dump

Creates a memory dump of the LSASS process.

Use case: Create memory dump and parse it offline to retrieve credentials.

Privileges: Administrator

dump64.exe {PID} out.dmp

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml
• IOC: As a Windows SDK binary, execution on a system may be suspicious

Resources

• https://twitter.com/mrd0x/status/1460597833917251595