From 8f8b977c858f9ae083bfbdbfa633d76a9cc2f2a7 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Tue, 4 Feb 2020 22:38:06 +0100
Subject: [PATCH] rule: dumpert process dump tool

---
 rules/windows/sysmon/sysmon_hack_dumpert.yml | 22 ++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_hack_dumpert.yml

diff --git a/rules/windows/sysmon/sysmon_hack_dumpert.yml b/rules/windows/sysmon/sysmon_hack_dumpert.yml
new file mode 100644
index 000000000..24d5cdad0
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_hack_dumpert.yml
@@ -0,0 +1,22 @@
+title: Dumpert Process Dumper
+id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
+description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
+author: Florian Roth
+references:
+    - https://github.com/outflanknl/Dumpert
+    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
+date: 2020/02/04
+tags:
+    - attack.credential_access
+    - attack.t1003
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 13
+        TargetFilename: C:\Windows\Temp\dumpert.dmp
+    condition: selection
+falsepositives:
+    - Very unlikely
+level: critical
\ No newline at end of file