.. /Dump64.exe
Star

Memory dump tool that comes with Microsoft Visual Studio

Paths:

C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe

Resources:

https://twitter.com/mrd0x/status/1460597833917251595

Acknowledgements:

mr.d0x (@mrd0x)

Detections:

Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml
IOC: As a Windows SDK binary, execution on a system may be suspicious

Dump

Creates a memory dump of the LSASS process.
```
dump64.exe <pid> out.dmp
```
Use case
Create memory dump and parse it offline to retrieve credentials.

Privileges required
Administrator

Operating systems
Windows 10, Windows 11

ATT&CK® technique
T1003.001