title: Suspicious Dump64.exe Execution
id: 129966c9-de17-4334-a123-8b58172e664d
status: test
description: Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder
references:
    - https://twitter.com/mrd0x/status/1460597833917251595
author: Austin Songer @austinsonger, Florian Roth
date: 2021/11/26
modified: 2022/12/25
tags:
    - attack.credential_access
    - attack.t1003.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\dump64.exe'
    procdump_flags:
        CommandLine|contains:
            - ' -ma '
            - 'accpeteula'
    filter:
        Image|contains: '\Installer\Feedback\dump64.exe'
    condition: ( selection and not filter ) or ( selection and procdump_flags )
falsepositives:
    - Dump64.exe in other folders than the excluded one
level: high