rule: dumpert process dump tool

rules/windows/sysmon/sysmon_hack_dumpert.yml

@@ -0,0 +1,22 @@
+title: Dumpert Process Dumper
+id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
+description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
+author: Florian Roth
+references:
+    - https://github.com/outflanknl/Dumpert
+    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
+date: 2020/02/04
+tags:
+    - attack.credential_access
+    - attack.t1003
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 13
+        TargetFilename: C:\Windows\Temp\dumpert.dmp
+    condition: selection
+falsepositives:
+    - Very unlikely
+level: critical