HackTool - Dumpert Process Dumper Default File
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
Sigma rule (View on GitHub)
1title: HackTool - Dumpert Process Dumper Default File
2id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
3related:
4 - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
5 type: derived
6status: test
7description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
8references:
9 - https://github.com/outflanknl/Dumpert
10 - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
11author: Florian Roth (Nextron Systems)
12date: 2020/02/04
13modified: 2023/05/09
14tags:
15 - attack.credential_access
16 - attack.t1003.001
17logsource:
18 category: file_event
19 product: windows
20detection:
21 selection:
22 TargetFilename|endswith: 'dumpert.dmp'
23 condition: selection
24falsepositives:
25 - Very unlikely
26level: critical
References
Related rules
- Abnormal LSASS Child and Parent Process Relationships (RedCanary Threat Detection Report)
- Abnormal LSASS Process Access and Injection (RedCanary Threat Detection Report)
- LSASS Running Under Non-Privileged User Context (RedCanary Threat Detection Report)
- Rundll32 Dumping Credentials with MiniDump Function (RedCanary Threat Detection Report)
- Process Memory Dump via RdrLeakDiag.EXE