Suspicious Dump64.exe Execution

calendarMar 24, 2023 · attack.credential_access attack.t1003.001  ·
Share on: linkedincopy

Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder

Sigma rule (View on GitHub)

 1title: Suspicious Dump64.exe Execution
 2id: 129966c9-de17-4334-a123-8b58172e664d
 3status: test
 4description: Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder
 5references:
 6    - https://twitter.com/mrd0x/status/1460597833917251595
 7author: Austin Songer @austinsonger, Florian Roth
 8date: 2021/11/26
 9modified: 2023/03/24
10tags:
11    - attack.credential_access
12    - attack.t1003.001
13logsource:
14    product: windows
15    category: process_creation
16detection:
17    selection:
18        Image|endswith: '\dump64.exe'
19    procdump_flags:
20        CommandLine|contains:
21            - ' -ma '
22            - 'accepteula'
23    filter:
24        Image|contains: '\Installer\Feedback\dump64.exe'
25    condition: ( selection and not filter ) or ( selection and procdump_flags )
26falsepositives:
27    - Dump64.exe in other folders than the excluded one
28level: high

Related rules

to-top