LoFP / another tool that uses the command line switches of xordump

Techniques

• t1003
• t1003.001
• t1036

Sample rules

HackTool - XORDump Execution

• source: sigma
• technicques:
  • t1003
  • t1003.001
  • t1036

Description

Detects suspicious use of XORDump process memory dumping utility

Detection logic

condition: selection
selection:
- Image|endswith: \xordump.exe
- CommandLine|contains:
  - ' -process lsass.exe '
  - ' -m comsvcs '
  - ' -m dbghelp '
  - ' -m dbgcore '