title: DumpStack.log Defender Evasion
id: 4f647cfa-b598-4e12-ad69-c68dd16caef8
status: experimental
description: Detects the use of the filename DumpStack.log to evade Microsoft Defender
references:
    - https://twitter.com/mrd0x/status/1479094189048713219
tags:
    - attack.defense_evasion
author: Florian Roth
date: 2022/01/06
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\DumpStack.log'
    selection_download:
        CommandLine: ' -o DumpStack.log'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical