HackTool - Dumpert Process Dumper Default File

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

Sigma rule (View on GitHub)

 1title: HackTool - Dumpert Process Dumper Default File
 2id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
 3related:
 4    - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
 5      type: derived
 6status: test
 7description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
 8references:
 9    - https://github.com/outflanknl/Dumpert
10    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
11author: Florian Roth (Nextron Systems)
12date: 2020-02-04
13modified: 2023-05-09
14tags:
15    - attack.credential-access
16    - attack.t1003.001
17logsource:
18    category: file_event
19    product: windows
20detection:
21    selection:
22        TargetFilename|endswith: 'dumpert.dmp'
23    condition: selection
24falsepositives:
25    - Very unlikely
26level: critical

References

GitHub - outflanknl/Dumpert: LSASS memory dumper using direct system calls and API unhooking.

LSASS memory dumper using direct system calls and API unhooking. - outflanknl/Dumpert

Read More
Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations

Threat actors are found continuing to exploit SharePoint Vulnerability CVE-2019-0604 to attack Middle Eastern Governments

Read More

HackTool - Dumpert Process Dumper Default File

Sigma rule (View on GitHub)

References

GitHub - outflanknl/Dumpert: LSASS memory dumper using direct system calls and API unhooking.

Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations

Related rules