LoFP / rare legitimate files with similar filename structure

Techniques

• t1003
• t1003.001

Sample rules

HackTool - SafetyKatz Dump Indicator

• source: sigma
• technicques:
  • t1003
  • t1003.001

Description

Detects default lsass dump filename generated by SafetyKatz.

Detection logic

condition: selection
selection:
  TargetFilename|endswith: \Temp\debug.bin