HackTool - Dumpert Process Dumper Default File

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

Sigma rule (View on GitHub)

 1title: HackTool - Dumpert Process Dumper Default File
 2id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
 3related:
 4    - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
 5      type: derived
 6status: test
 7description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
 8references:
 9    - https://github.com/outflanknl/Dumpert
10    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
11author: Florian Roth (Nextron Systems)
12date: 2020/02/04
13modified: 2023/05/09
14tags:
15    - attack.credential_access
16    - attack.t1003.001
17logsource:
18    category: file_event
19    product: windows
20detection:
21    selection:
22        TargetFilename|endswith: 'dumpert.dmp'
23    condition: selection
24falsepositives:
25    - Very unlikely
26level: critical

References

Related rules

to-top