Merge pull request #2326 from austinsonger/win_lolbas_dump64.yml

process_creation_win_lolbas_dump64.yml

rules/windows/process_creation/process_creation_win_lolbas_dump64.yml

@@ -0,0 +1,27 @@
+title: Suspicious Dump64.exe Execution 
+id: 129966c9-de17-4334-a123-8b58172e664d
+description: Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder
+status: experimental
+author: Austin Songer @austinsonger, Florian Roth
+date: 2021/11/26
+references:
+    - https://twitter.com/mrd0x/status/1460597833917251595
+logsource:
+      product: windows
+      category: process_creation
+detection: 
+    selection:
+        Image|endswith: '\dump64.exe'
+    procdump_flags:
+        CommandLine|contains:
+            - ' -ma '
+            - 'accpeteula'
+    filter:
+        Image|contains: '\Installer\Feedback\dump64.exe'
+    condition: ( selection and not filter ) or ( selection and procdump_flags )
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+falsepositives:
+    - Dump64.exe in other folders than the excluded one
+level: high