From 535e2d149b0cef33af1fa4890ca2d41c4864e7a1 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Tue, 4 Feb 2020 22:46:16 +0100
Subject: [PATCH] rule: improved dumpert rule

---
 rules/windows/sysmon/sysmon_hack_dumpert.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_hack_dumpert.yml b/rules/windows/sysmon/sysmon_hack_dumpert.yml
index 24d5cdad0..7611b00c0 100644
--- a/rules/windows/sysmon/sysmon_hack_dumpert.yml
+++ b/rules/windows/sysmon/sysmon_hack_dumpert.yml
@@ -13,10 +13,13 @@ logsource:
     product: windows
     service: sysmon
 detection:
-    selection:
+    selection1:
         EventID: 13
         TargetFilename: C:\Windows\Temp\dumpert.dmp
-    condition: selection
+    selection2:
+        EventID: 1
+        Imphash: '09D278F9DE118EF09163C6140255C690'
+    condition: 1 of them
 falsepositives:
     - Very unlikely
 level: critical
\ No newline at end of file