DumpStack.log Defender Evasion

Mar 5, 2023 · attack.defense_evasion ·

Detects the use of the filename DumpStack.log to evade Microsoft Defender

Sigma rule (View on GitHub)

 1title: DumpStack.log Defender Evasion
 2id: 4f647cfa-b598-4e12-ad69-c68dd16caef8
 3status: test
 4description: Detects the use of the filename DumpStack.log to evade Microsoft Defender
 5references:
 6    - https://twitter.com/mrd0x/status/1479094189048713219
 7author: Florian Roth (Nextron Systems)
 8date: 2022/01/06
 9modified: 2022/06/17
10tags:
11    - attack.defense_evasion
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        Image|endswith: '\DumpStack.log'
18    selection_download:
19        CommandLine|contains: ' -o DumpStack.log'
20    condition: 1 of selection*
21falsepositives:
22    - Unknown
23level: critical

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More

Related rules

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
DLL Execution Via Register-cimprovider.exe
Detection of PowerShell Execution via Sqlps.exe
Devtoolslauncher.exe Executes Specified Binary
Disabled IE Security Features