sigmacriticalHunting

DumpStack.log Defender Evasion

Detects the use of the filename DumpStack.log to evade Microsoft Defender

Detection Query

selection:
  Image|endswith: \DumpStack.log
selection_download:
  CommandLine|contains: " -o DumpStack.log"
condition: 1 of selection*

Author

Florian Roth (Nextron Systems)

Created

2022-01-06

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://twitter.com/mrd0x/status/1479094189048713219

Tags

attack.defense-evasion

Raw Content

title: DumpStack.log Defender Evasion
id: 4f647cfa-b598-4e12-ad69-c68dd16caef8
status: test
description: Detects the use of the filename DumpStack.log to evade Microsoft Defender
references:
    - https://twitter.com/mrd0x/status/1479094189048713219
author: Florian Roth (Nextron Systems)
date: 2022-01-06
modified: 2022-06-17
tags:
    - attack.defense-evasion
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\DumpStack.log'
    selection_download:
        CommandLine|contains: ' -o DumpStack.log'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical