← Back to Explore
sigmahighHunting
Potential Windows Defender AV Bypass Via Dump64.EXE Rename
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
Detection Query
selection_dump:
Image|startswith: :\Program Files
Image|contains: \Microsoft Visual Studio\
Image|endswith: \dump64.exe
selection_tools_procdump:
- OriginalFileName: procdump
- CommandLine|contains:
- " -ma "
- " -mp "
condition: selection_dump and 1 of selection_tools_*
Author
Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Created
2021-11-26
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.credential-accessattack.t1003.001
Raw Content
title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
id: 129966c9-de17-4334-a123-8b58172e664d
status: test
description: |
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
references:
- https://twitter.com/mrd0x/status/1460597833917251595
author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-26
modified: 2024-06-21
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_dump:
Image|startswith: ':\Program Files'
Image|contains: '\Microsoft Visual Studio\'
Image|endswith: '\dump64.exe'
selection_tools_procdump:
- OriginalFileName: 'procdump'
- CommandLine|contains:
- ' -ma ' # Full Dump
- ' -mp ' # Mini Plus
condition: selection_dump and 1 of selection_tools_*
falsepositives:
- Unknown
level: high