Florian Roth
28 lines
889 B
YAML
28 lines
889 B
YAML
title: Suspicious Dump64.exe Execution
|
|
id: 129966c9-de17-4334-a123-8b58172e664d
|
|
description: Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder
|
|
status: experimental
|
|
author: Austin Songer @austinsonger, Florian Roth
|
|
date: 2021/11/26
|
|
references:
|
|
- https://twitter.com/mrd0x/status/1460597833917251595
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
selection:
|
|
Image|endswith: '\dump64.exe'
|
|
procdump_flags:
|
|
CommandLine|contains:
|
|
- ' -ma '
|
|
- 'accpeteula'
|
|
filter:
|
|
Image|contains: '\Installer\Feedback\dump64.exe'
|
|
condition: ( selection and not filter ) or ( selection and procdump_flags )
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003.001
|
|
falsepositives:
|
|
- Dump64.exe in other folders than the excluded one
|
|
level: high
|