DumpStack.log Defender Evasion

Aug 12, 2024 · attack.defense-evasion ·

Detects the use of the filename DumpStack.log to evade Microsoft Defender

Sigma rule (View on GitHub)

 1title: DumpStack.log Defender Evasion
 2id: 4f647cfa-b598-4e12-ad69-c68dd16caef8
 3status: test
 4description: Detects the use of the filename DumpStack.log to evade Microsoft Defender
 5references:
 6    - https://twitter.com/mrd0x/status/1479094189048713219
 7author: Florian Roth (Nextron Systems)
 8date: 2022-01-06
 9modified: 2022-06-17
10tags:
11    - attack.defense-evasion
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        Image|endswith: '\DumpStack.log'
18    selection_download:
19        CommandLine|contains: ' -o DumpStack.log'
20    condition: 1 of selection*
21falsepositives:
22    - Unknown
23level: critical

References

x.com

Read More

Related rules

AD Object WriteDAC Access
ADS Zone.Identifier Deleted By Uncommon Application
AMSI Bypass Pattern Assembly GetType
APT PRIVATELOG Image Load Pattern
APT27 - Emissary Panda Activity

DumpStack.log Defender Evasion

Sigma rule (View on GitHub)

References

x.com

Related rules