CrashControl DedicatedDumpFile Abuse

Rule Info

Name
CrashControl DedicatedDumpFile Abuse
Author
X__Junior
Description
Detects abuse of DedicatedDumpFile which can kill any file before boot, for this to happen CrashDumpEnabled must have none zero value, so it triggers a dump upon system reboot and redirect the dump tp the specified value in DedicatedDumpFile.
Reference
https://x.com/sixtyvividtails/status/1888872344032100372
Date
2025-02-11 00:00:00
Modified
None
Id
6ef53bbd-d1e7-45da-b957-35204c56c341
Tags
attack.t1564 attack.t1112
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022