Potential Windows Defender AV Bypass Via Dump64.EXE Rename
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
Sigma rule (View on GitHub)
1title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
2id: 129966c9-de17-4334-a123-8b58172e664d
3status: test
4description: |
5 Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
6 Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
7references:
8 - https://twitter.com/mrd0x/status/1460597833917251595
9author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2021-11-26
11modified: 2024-06-21
12tags:
13 - attack.credential-access
14 - attack.t1003.001
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection_dump:
20 Image|startswith: ':\Program Files'
21 Image|contains: '\Microsoft Visual Studio\'
22 Image|endswith: '\dump64.exe'
23 selection_tools_procdump:
24 - OriginalFileName: 'procdump'
25 - CommandLine|contains:
26 - ' -ma ' # Full Dump
27 - ' -mp ' # Mini Plus
28 condition: selection_dump and 1 of selection_tools_*
29falsepositives:
30 - Unknown
31level: high
References
Related rules
- APT31 Judgement Panda Activity
- Cred Dump Tools Dropped Files
- Credential Dumping Activity By Python Based Tool
- Credential Dumping Attempt Via WerFault
- Credential Dumping Tools Service Execution - Security