The hypothesis is that an adversary is using the Dumpert tool to dump the lsass process memory, potentially exfiltrating credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to credential theft attempts early.
Detection Rule
title: HackTool - Dumpert Process Dumper Default File
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
related:
- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
type: derived
status: test
description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2023-05-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: 'dumpert.dmp'
condition: selection
falsepositives:
- Very unlikely
level: critical
imFileEvent
| where TargetFileName endswith "dumpert.dmp"Scenario: Scheduled Job for Memory Dump Analysis
Description: A system administrator schedules a job to dump memory of the lsass process for forensic analysis using the Dumpert tool as part of a security investigation.
Filter/Exclusion: process.name == "Dumpert" OR process.parent.name == "Task Scheduler" OR file.path contains "security_analysis"
Scenario: Administrative Task to Analyze lsass Memory
Description: A security team member manually runs Dumpert to extract lsass memory for analysis of potential credential theft or malware persistence.
Filter/Exclusion: process.user.name == "SecurityTeamUser" OR file.path contains "incident_response"
Scenario: Automated Security Tool Integration
Description: A third-party security tool (e.g., Microsoft Defender for Endpoint) uses Dumpert as part of its automated incident response workflow to capture lsass memory.
Filter/Exclusion: process.name contains "Microsoft Defender" OR file.path contains "endpoint_protection"
Scenario: System Maintenance Task
Description: A system maintenance script or task runs Dumpert to capture lsass memory as part of a routine security audit or compliance check.
Filter/Exclusion: process.name contains "maintenance" OR file.path contains "audit"
Scenario: Development Environment Testing
Description: A developer or DevOps engineer uses Dumpert in a test environment to simulate memory dumps for application debugging or security testing.
Filter/Exclusion: process.name contains "test" OR file.path contains "dev_env" OR host.name contains "dev"