.. /Createdump.exe
Star

Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)

Paths:

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
C:\Program Files\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe

Resources:

Acknowledgements:

bopin (@bopin2020)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml
Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml
IOC: createdump.exe process with a command line containing the lsass.exe process id

Dump

Dump process by PID and create a minidump file. If "-f dump.dmp" is not specified, the file is created as '%TEMP%\dump.%p.dmp' where %p is the PID of the target process.
```
createdump.exe -n -f dump.dmp [PID]
```
Use case
Dump process memory contents using PID.

Privileges required
SYSTEM

Operating systems
Windows 10, Windows 11

ATT&CK® technique
T1003