Hi @RFeyertag I would probably create BIOC rules with multiple logic:
Low Severity: Create a BIOC rule for srtings64.exe containing *.dmp in its command line. (Even though the article mentions that you could do an offline strings dump etc, Why? Obviously if done on the box it will create more telemetry and more telemetry creates more detection opportunities)
Informational Severity: Create a BIOC rule where I would monitor for a process command line containing a *.dmp in its CLI. (Produces quite a bit noise)
Medium Severity: Create a BIOC rule where an unsigned image created a *.dmp file (Please consider the noise in the environment before creation.)
Medium Severity: Create a BIOC rule where tool name such as procdump*.exe or dumpit.exe i.e. common process dump utilities are used.
Medium Severity: Create a BIOC rule where an image signer includes Microsoft* as a key word but the image name is not a known Microsoft Utility.
Medium Severity: rundll32.exe executing comsvc.dll
Before doing above baseline first:
config case_sensitive = false
| dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_CREATE_NEW,ENUM.FILE_WRITE)
| filter actor_process_image_name != null
| filter actor_process_image_name not in ("werfault.exe","System") and action_file_name = "*.dmp"
| fields _time as Time_Stamp, agent_hostname as Host, agent_ip_addresses as IP_Addr, action_file_name as Dump_Filename, actor_process_image_name as Process
Thanks
Kanwar
... View more