HackTool - XORDump Execution

Aug 12, 2024 · attack.defense-evasion attack.t1036 attack.t1003.001 ·

Detects suspicious use of XORDump process memory dumping utility

Sigma rule (View on GitHub)

 1title: HackTool - XORDump Execution
 2id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
 3status: test
 4description: Detects suspicious use of XORDump process memory dumping utility
 5references:
 6    - https://github.com/audibleblink/xordump
 7author: Florian Roth (Nextron Systems)
 8date: 2022-01-28
 9modified: 2023-02-08
10tags:
11    - attack.defense-evasion
12    - attack.t1036
13    - attack.t1003.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        - Image|endswith: '\xordump.exe'
20        - CommandLine|contains:
21              - ' -process lsass.exe '
22              - ' -m comsvcs '
23              - ' -m dbghelp '
24              - ' -m dbgcore '
25    condition: selection
26falsepositives:
27    - Another tool that uses the command line switches of XORdump
28level: high

References

GitHub - audibleblink/xordump

Contribute to audibleblink/xordump development by creating an account on GitHub.

Read More

HackTool - XORDump Execution

Sigma rule (View on GitHub)

References

GitHub - audibleblink/xordump

Related rules