.. /Createdump.exe
Star

Dump

Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)

Paths:

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
C:\Program Files\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe

Resources:

Acknowledgements:

bopin (@bopin2020)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml
Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml
IOC: createdump.exe process with a command line containing the lsass.exe process id

Dump

Dump process by PID and create a minidump file. If "-f dump.dmp" is not specified, the file is created as '%TEMP%\dump.%p.dmp' where %p is the PID of the target process.

createdump.exe -n -f dump.dmp [PID]

Usecase: Dump process memory contents using PID.
Privileges required: SYSTEM
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1003

.. /Createdump.exe Star

Dump

.. /Createdump.exe
Star