IOC: Unsigned DLL load via procdump.exe or procdump64.exe
Execute
Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.
procdump.exe -md calc.dll explorer.exe
Usecase: Performs execution of unsigned DLL.
Privileges required: User
OS: Windows 8.1 and higher, Windows Server 2012 and higher.
MITRE ATT&CK®: T1202
Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
procdump.exe -md calc.dll foobar
Usecase: Performs execution of unsigned DLL.
Privileges required: User
OS: Windows 8.1 and higher, Windows Server 2012 and higher.
MITRE ATT&CK®: T1202