From 1fad4edfcbfb8151b330d1c71d92bb76b6b8fc6a Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 11 Jan 2022 09:10:05 +0100
Subject: [PATCH] refactor: minor changes to procdump rule

---
 rules/windows/process_creation/win_procdump_evasion.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_procdump_evasion.yml b/rules/windows/process_creation/win_procdump_evasion.yml
index db46376c8..6aee1bea6 100644
--- a/rules/windows/process_creation/win_procdump_evasion.yml
+++ b/rules/windows/process_creation/win_procdump_evasion.yml
@@ -1,6 +1,6 @@
 title: Procdump Evasion
 id: 79b06761-465f-4f88-9ef2-150e24d3d737
-description: Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed 
+description: Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name
 status: experimental
 references:
     - https://twitter.com/mrd0x/status/1480785527901204481
@@ -29,6 +29,7 @@ detection:
     selection3:
         CommandLine|contains:
             - 'copy lsass.exe_'  # procdump default pattern e.g. lsass.exe_220111_085234.dmp
+            - 'move lsass.exe_'  # procdump default pattern e.g. lsass.exe_220111_085234.dmp
     condition: 1 of selection*
 falsepositives:
     - Cases in which procdump just gets copied to a different directory without any renaming