Detectionhightest
Potential Windows Defender AV Bypass Via Dump64.EXE Rename
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Austin Songer, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Fri Nov 26Updated Fri Jun 21129966c9-de17-4334-a123-8b58172e664dwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_dump:
Image|startswith: ':\Program Files'
Image|contains: '\Microsoft Visual Studio\'
Image|endswith: '\dump64.exe'
selection_tools_procdump:
- OriginalFileName: 'procdump'
- CommandLine|contains:
- ' -ma ' # Full Dump
- ' -mp ' # Mini Plus
condition: selection_dump and 1 of selection_tools_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
129966c9-de17-4334-a123-8b58172e664d
Status
test
Level
high
Type
Detection
Created
Fri Nov 26
Modified
Fri Jun 21
Path
rules/windows/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml
Raw Tags
attack.credential-accessattack.t1003.001