Potential Windows Defender AV Bypass Via Dump64.EXE Rename

Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.

Sigma rule (View on GitHub)

 1title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
 2id: 129966c9-de17-4334-a123-8b58172e664d
 3status: test
 4description: |
 5    Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
 6    Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.    
 7references:
 8    - https://twitter.com/mrd0x/status/1460597833917251595
 9author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2021/11/26
11modified: 2024/06/21
12tags:
13    - attack.credential_access
14    - attack.t1003.001
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection_dump:
20        Image|startswith: ':\Program Files'
21        Image|contains: '\Microsoft Visual Studio\'
22        Image|endswith: '\dump64.exe'
23    selection_tools_procdump:
24        - OriginalFileName: 'procdump'
25        - CommandLine|contains:
26              - ' -ma ' # Full Dump
27              - ' -mp ' # Mini Plus
28    condition: selection_dump and 1 of selection_tools_*
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top