Suspicious DumpMinitool Execution
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Suspicious DumpMinitool Execution | Standard | Windows | Defense Evasion: Masquerading (T1036),"Credential Access: OS Credential Dumping - LSASS Memory (T1003.001)" | Trouble |
About the rule
Rule Type
Standard
Rule Description
DumpMinitool.exe is a legitimate utility often used for troubleshooting or collecting system memory dumps for diagnostic purposes. However, attackers may abuse this process to capture sensitive data, such as credentials or encryption keys, from system memory. Malicious or unauthorized execution can facilitate credential theft, privilege escalation, or exfiltration of in-memory secrets. This rule is designed to detect suspicious or anomalous invocations of DumpMinitool.exe—such as executions by non-administrative users, use of uncommon command-line switches, dumping of protected processes, or file writes to unauthorized directories.
Severity
Trouble
Rule journey
Attack chain scenario
Initial access → Privilege escalation → Execution of DumpMinitool.exe → Credential or memory data theft → Impact
Impact
- Defense evasion
- Credential/theft of sensitive memory-resident data
- Privilege escalation
- Data exfiltration
- Preparation for further attacks
Rule Requirement
Prerequisites
Use the Group Policy Management Console to audit process creation and process termination.
Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.
Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.
Criteria
Action1: actionname = "Process started" AND (PROCESSNAME endswith "\DumpMinitool.exe,\DumpMinitool.x86.exe,\DumpMinitool.arm64.exe" OR ORIGINALFILENAME = "DumpMinitool.exe,DumpMinitool.x86.exe,DumpMinitool.arm64.exe") AND (PROCESSNAME notcontains "\Microsoft Visual Studio\,\Extensions" OR COMMANDLINE contains ".txt" OR (COMMANDLINE contains " Full, Mini, WithHeap" AND COMMANDLINE notcontains "--dumpType")) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: Masquerading (T1036),"Credential Access: OS Credential Dumping - LSASS Memory (T1003.001)"
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-01: Networks and network services are monitored to find potentially adverse events.
When this rule is triggered, you’re notified of a suspicious execution of DumpMinitool.exe, such as use of unauthorized switches, attempts to dump protected processes, or memory collections initiated by untrusted accounts. This enables you to review process usage, analyze user context and command-line activity, and promptly identify potential abuse of this tool.
Author
Florian Roth (Nextron Systems)
Future actions
Known False Positives
This rule may trigger during legitimate diagnostic or troubleshooting sessions, especially by IT or support staff, or when corporate memory-dump tools are scheduled to run. Review the user account, process context, and details of the memory dump task to assess legitimacy and compliance with organizational procedures.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Reconfiguration: Update allowlists and detection rules for legitimate usage, review audit logs for prior suspicious use, and monitor for repeated or related events.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1040 | Behavior Prevention on Endpoint | On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. (Citation: win10_asr). |
M1043 |
| With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping.(Citation: TechNet Credential Guard)(Citation: GitHub SHB Credential Guard) |
M1028 | Operating System Configuration | Consider disabling or restricting NTLM.(Citation: Microsoft Disable NTLM Nov 2012) Consider disabling WDigest authentication.(Citation: Microsoft WDigest Mit). |
M1027 | Password Policies | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
M1026 |
| Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
M1025 |
| On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.(Citation: Microsoft LSA) |
M1017 | User Training | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
M1049 |
| Anti-virus can be used to automatically quarantine suspicious files. |
M1047 | Audit | Audit user accounts to ensure that each one has a defined purpose. |
M1045 | Code signing | Requires signed binaries. |
M1038 |
| Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed. |
M1022 | Restrict File and Directory Permissions | Use file system access controls to protect folders such as C:\Windows\System32. |
M1018 | User Account Management | Consider defining and enforcing a naming convention for user accounts to more easily spot generic account names that do not fit the typical schema. |
