CreateDump Process Dump
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
CreateDump Process Dump | Standard | Windows | Defense Evasion: Masquerading (T1036), | Critical |
About the rule
Rule Type
Standard
Rule Description
This rule detects the use of the CreateDump function or related utilities to generate memory dumps of running processes. While this technique is used legitimately by developers and system administrators for debugging purposes, it is also commonly abused by attackers to dump the memory of sensitive processes such as lsass.exe to extract credentials or access other confidential data. Detecting unauthorized or suspicious usage of memory dump utilities is critical in identifying credential theft attempts or post-exploitation activity.
Severity
Trouble
Rule journey
Attack chain scenario
Initial Access → Privilege Escalation → Discovery → Credential Access → Memory Dumping via CreateDump or similar API → Lateral Movement
Impact
- Privilege escalation
- Credential theft
- Lateral movement
- Data exfiltration and persistence
Rule Requirement
Prerequisites
Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.
Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.
Criteria
Action1: actionname = "Process started" AND (PROCESSNAME endswith "\createdump.exe" OR ORIGINALFILENAME = "FX_VER_INTERNALNAME_STR") AND COMMANDLINE contains " -u , --full , -f , --name ,.dmp " select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: Masquerading (T1036),
Credential Access: OS Credential Dumping - LSASS Memory (T1003.001)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
PR.AC-01: Identities and credentials are managed for authorized devices and users DE.CM-03: Unauthorized access is detected
By detecting attempts to dump memory via CreateDump, this rule enhances your ability to identify and respond to credential access techniques.
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Future actions
Known False Positives
Legitimate use of CreateDump.exe by system administrators, developers, or IT support teams during debugging, troubleshooting, or performance diagnostics can trigger this rule.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification:Determine whether the use of cmstp.exe is associated with a known administrative action or is part of a suspicious process chain
- Analysis: Inspect the INF file passed to cmstp.exe. Malicious variants often contain embedded scriptlets or commands that result in payload execution.
- Response: Isolate the host, terminate related processes, and delete any associated malicious INF files.
- Restrict cmstp.exe: Restrict execution of cmstp.exe through application control policies if not used operationally.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1040 | On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. | |
M1043 | On Windows 10, Microsoft introduced Credential Guard to protect LSA secrets that can be used for credential dumping. This feature is not configured by default and has specific hardware and firmware requirements. Note that it doesn't protect against all forms of credential dumping. | |
M1028 | Consider disabling or restricting NTLM and disabling WDigest authentication to reduce credential exposure. | |
M1027 | Enforce complex and unique passwords for local administrator accounts across all systems in your network. | |
M1026 | Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. | |
M1025 | On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA to enhance security. | |
M1017 | Train users and administrators to avoid using the same password for multiple accounts to limit credential overlap across systems. | |
M1049 | Implement antivirus or antimalware scanning to isolate suspicious files. | |
M1047 | Audit user accounts to ensure that each one has a defined purpose. | |
M1045 | Require signed binaries. | |
M1038 | Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed. | |
M1022 | Use file system access controls to protect folders such as C:\Windows\System32. | |
M1018 | Consider defining and enforcing a naming convention for user accounts to more easily spot generic account names that do not fit the typical schema. |
