HackTool - XORDump Execution

Apr 25, 2025 · attack.defense-evasion attack.t1036 attack.t1003.001 attack.credential-access ·

Detects suspicious use of XORDump process memory dumping utility

Sigma rule (View on GitHub)

 1title: HackTool - XORDump Execution
 2id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
 3status: test
 4description: Detects suspicious use of XORDump process memory dumping utility
 5references:
 6    - https://github.com/audibleblink/xordump
 7author: Florian Roth (Nextron Systems)
 8date: 2022-01-28
 9modified: 2023-02-08
10tags:
11    - attack.defense-evasion
12    - attack.t1036
13    - attack.t1003.001
14    - attack.credential-access
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        - Image|endswith: '\xordump.exe'
21        - CommandLine|contains:
22              - ' -process lsass.exe '
23              - ' -m comsvcs '
24              - ' -m dbghelp '
25              - ' -m dbgcore '
26    condition: selection
27falsepositives:
28    - Another tool that uses the command line switches of XORdump
29level: high

References

GitHub - audibleblink/xordump

Contribute to audibleblink/xordump development by creating an account on GitHub.

Read More

HackTool - XORDump Execution

Sigma rule (View on GitHub)

References

GitHub - audibleblink/xordump

Related rules