HackTool - Dumpert Process Dumper Execution

Feb 4, 2023 · attack.credential_access attack.t1003.001 ·

Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory

Sigma rule (View on GitHub)

 1title: HackTool - Dumpert Process Dumper Execution
 2id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
 3status: test
 4description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
 5references:
 6    - https://github.com/outflanknl/Dumpert
 7    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
 8author: Florian Roth (Nextron Systems)
 9date: 2020/02/04
10modified: 2023/02/04
11tags:
12    - attack.credential_access
13    - attack.t1003.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        - Hashes|contains: '09D278F9DE118EF09163C6140255C690'
20        - CommandLine|contains: 'Dumpert.dll'
21    condition: selection
22falsepositives:
23    - Very unlikely
24level: critical

References

GitHub - outflanknl/Dumpert: LSASS memory dumper using direct system calls and API unhooking.

LSASS memory dumper using direct system calls and API unhooking. - outflanknl/Dumpert

Read More
Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations

Threat actors are found continuing to exploit SharePoint Vulnerability CVE-2019-0604 to attack Middle Eastern Governments

Read More

HackTool - Dumpert Process Dumper Execution

Sigma rule (View on GitHub)

References

GitHub - outflanknl/Dumpert: LSASS memory dumper using direct system calls and API unhooking.

Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations

Related rules