action: global
title: Dumpert Process Dumper
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
author: Florian Roth
references:
    - https://github.com/outflanknl/Dumpert
    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
date: 2020/02/04
modified: 2020/08/23
tags:
    - attack.credential_access
    - attack.t1003         # an old one
    - attack.t1003.001
falsepositives:
    - Very unlikely
level: critical
---
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Imphash: '09D278F9DE118EF09163C6140255C690'
    condition: selection
---
logsource:
    category: file_event
    product: windows
detection:
    selection: 
        TargetFilename: C:\Windows\Temp\dumpert.dmp
    condition: selection