Techniques
Sample rules
HackTool - Dumpert Process Dumper Execution
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Detection logic
condition: selection
selection:
- Hashes|contains: 09D278F9DE118EF09163C6140255C690
- CommandLine|contains: Dumpert.dll
HackTool - Inveigh Execution
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
Detection logic
condition: selection
selection:
- Image|endswith: \Inveigh.exe
- OriginalFileName:
- \Inveigh.exe
- \Inveigh.dll
- Description: Inveigh
- CommandLine|contains:
- ' -SpooferIP'
- ' -ReplyToIPs '
- ' -ReplyToDomains '
- ' -ReplyToMACs '
- ' -SnifferIP'
HackTool - Dumpert Process Dumper Default File
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
Detection logic
condition: selection
selection:
TargetFilename|endswith: dumpert.dmp