Procdump.exe

SysInternals Memory Dump Tool

Paths

• no default

Commands

Execute

Loads the specified DLL where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.

Use case: Performs execution of unsigned DLL.

Privileges: User

procdump.exe -md {PATH:.dll} explorer.exe

Execute

Loads the specified DLL where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.

Use case: Performs execution of unsigned DLL.

Privileges: User

procdump.exe -md {PATH:.dll} foobar

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml
• Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml
• Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
• IOC: Process creation with given '-md' parameter
• IOC: Anomalous child processes of procdump
• IOC: Unsigned DLL load via procdump.exe or procdump64.exe

Resources

• https://twitter.com/ajpc500/status/1448588362382778372?s=20