Skip to content

Hide Navigation Hide TOC

Potential Windows Defender AV Bypass Via Dump64.EXE Rename (129966c9-de17-4334-a123-8b58172e664d)

Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.

Cluster A Galaxy A Cluster B Galaxy B Level
Potential Windows Defender AV Bypass Via Dump64.EXE Rename (129966c9-de17-4334-a123-8b58172e664d) Sigma-Rules LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2