{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/process-memory/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Sysinternals ProcDump"],"_cs_severities":["medium"],"_cs_tags":["sysinternals","credential-dumping","process-memory","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eProcdump is a command-line utility from Microsoft's Sysinternals suite, designed primarily for troubleshooting application crashes by generating memory dumps of processes. While a legitimate tool used by developers and system administrators for debugging, it is also widely co-opted by malicious actors. Attackers leverage Procdump to dump the memory of sensitive processes, most notably Local Security Authority Subsystem Service (LSASS), to extract credentials such as NTLM hashes or plaintext passwords. This technique allows adversaries to bypass traditional endpoint security measures that might block direct access to LSASS or other credential-storage mechanisms. Its execution often indicates an attacker has already gained a foothold and is attempting to escalate privileges or move laterally within a compromised Windows environment.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful abuse of Procdump can lead to significant compromise. By extracting credentials from processes like LSASS, attackers gain access to legitimate user and administrative account credentials. This enables them to perform lateral movement, access restricted resources, escalate privileges, and maintain persistence within an organization's network. The primary impact is unauthorized access to sensitive data and systems, potentially leading to data exfiltration, system destruction, or deployment of further malicious payloads like ransomware. The ease with which Procdump can be used makes it a popular choice for credential dumping in targeted attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Procdump Execution\u0026quot; to your SIEM to alert on the execution of the \u003ccode\u003eprocdump.exe\u003c/code\u003e binary.\u003c/li\u003e\n\u003cli\u003eInvestigate all instances of \u003ccode\u003eprocdump.exe\u003c/code\u003e, \u003ccode\u003eprocdump64.exe\u003c/code\u003e, or \u003ccode\u003eprocdump64a.exe\u003c/code\u003e execution, especially if originating from non-standard directories or executed by non-administrative accounts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure \u003ccode\u003eprocess_creation\u003c/code\u003e events for \u003ccode\u003eprocdump.exe\u003c/code\u003e are collected and available for analysis by the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview legitimate use cases for Procdump within your environment and create baselines or whitelisting rules to reduce false positives for authorized debugging activities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:25:53Z","date_published":"2026-07-03T14:25:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-procdump-execution/","summary":"This brief details the detection of Procdump, a legitimate Sysinternals utility, which is frequently abused by attackers for credential dumping from sensitive processes like LSASS, enabling privilege escalation and lateral movement on Windows systems.","title":"Procdump Execution Detection","url":"https://feed.craftedsignal.io/briefs/2026-07-procdump-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - Process-Memory","version":"https://jsonfeed.org/version/1.1"}