ルール更新 (#224)

rules/sigma/process_creation/process_creation_hack_dumpert.yml

@@ -0,0 +1,28 @@
+
+title: Dumpert Process Dumper
+author: Florian Roth
+date: 2020/02/04
+description: Detects the use of Dumpert process dumper, which dumps the lsass.exe
+  process memory
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Imphash: 09D278F9DE118EF09163C6140255C690
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Very unlikely
+id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/21
+references:
+- https://github.com/outflanknl/Dumpert
+- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001