LoFP / very unlikely

Techniques

• t1003
• t1003.001

Sample rules

HackTool - Dumpert Process Dumper Default File

• source: sigma
• technicques:
  • t1003
  • t1003.001

Description

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

Detection logic

condition: selection
selection:
  TargetFilename|endswith: dumpert.dmp

HackTool - Dumpert Process Dumper Execution

• source: sigma
• technicques:
  • t1003
  • t1003.001

Description

Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory

Detection logic

condition: selection
selection:
- Hashes|contains: 09D278F9DE118EF09163C6140255C690
- CommandLine|contains: Dumpert.dll

HackTool - Inveigh Execution

• source: sigma
• technicques:
  • t1003
  • t1003.001

Description

Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool

Detection logic

condition: selection
selection:
- Image|endswith: \Inveigh.exe
- OriginalFileName:
  - \Inveigh.exe
  - \Inveigh.dll
- Description: Inveigh
- CommandLine|contains:
  - ' -SpooferIP'
  - ' -ReplyToIPs '
  - ' -ReplyToDomains '
  - ' -ReplyToMACs '
  - ' -SnifferIP'