title: Dumpert Process Dumper
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
status: experimental
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
author: Florian Roth
references:
    - https://github.com/outflanknl/Dumpert
    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
date: 2020/02/04
modified: 2021/12/08
tags:
    - attack.credential_access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Hashes|contains: '09D278F9DE118EF09163C6140255C690'
    condition: selection
falsepositives:
    - Very unlikely
level: critical