rule: DumpStack.log Defender evasion

rules/windows/process_creation/process_creation_dumpstack_log_evasion.yml

@@ -0,0 +1,22 @@
+title: DumpStack.log Defender Evasion
+id: 4f647cfa-b598-4e12-ad69-c68dd16caef8
+status: experimental
+description: Detects the use of the filename DumpStack.log to evade Microsoft Defender
+references:
+    - https://twitter.com/mrd0x/status/1479094189048713219
+tags:
+    - attack.defense_evasion
+author: Florian Roth
+date: 2022/01/06
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\DumpStack.log'
+    selection_download:
+        CommandLine: ' -o DumpStack.log'
+    condition: 1 of selection*
+falsepositives:
+    - Unknown
+level: critical