From dfa7938f17a21f2d2d53d1873b02b85eaef04df8 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 7 Jan 2022 08:46:30 +0100
Subject: [PATCH] rule: DumpStack.log Defender evasion

---
 ...process_creation_dumpstack_log_evasion.yml | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/process_creation/process_creation_dumpstack_log_evasion.yml

diff --git a/rules/windows/process_creation/process_creation_dumpstack_log_evasion.yml b/rules/windows/process_creation/process_creation_dumpstack_log_evasion.yml
new file mode 100644
index 000000000..6ca549ce4
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_dumpstack_log_evasion.yml
@@ -0,0 +1,22 @@
+title: DumpStack.log Defender Evasion
+id: 4f647cfa-b598-4e12-ad69-c68dd16caef8
+status: experimental
+description: Detects the use of the filename DumpStack.log to evade Microsoft Defender
+references:
+    - https://twitter.com/mrd0x/status/1479094189048713219
+tags:
+    - attack.defense_evasion
+author: Florian Roth
+date: 2022/01/06
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\DumpStack.log'
+    selection_download:
+        CommandLine: ' -o DumpStack.log'
+    condition: 1 of selection*
+falsepositives:
+    - Unknown
+level: critical