LoFP LoFP / administrators who rename binaries (should be investigated).

Techniques

Sample rules

Renamed ProcDump Execution

Description

Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms.

Detection logic

condition: (selection_ofn or all of selection_cli_*) and not 1 of filter_main_*
filter_main_known_names:
  Image|endswith:
  - \procdump.exe
  - \procdump64.exe
selection_cli_dump_flag:
  CommandLine|contains|windash:
  - ' -ma '
  - ' -mp '
selection_cli_eula_flag:
  CommandLine|contains|windash: ' /accepteula'
selection_ofn:
  OriginalFileName: procdump