Techniques
Sample rules
Suspicious Dump64.exe Execution
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder
Detection logic
condition: ( selection and not filter ) or ( selection and procdump_flags )
filter:
Image|contains: \Installer\Feedback\dump64.exe
procdump_flags:
CommandLine|contains:
- ' -ma '
- accepteula
selection:
Image|endswith: \dump64.exe